Introduction “Malware” are programs or parts of programs that have a malicious ( “Mal” ) or unpleasant effect on your computer security. This covers many different terms that you may have heard before, such as “Virus”, “Worm” and “Trojan” and possibly a few that you haven't like “Rootkit”, “Logicbomb” and “Spyware”. This lesson will introduce, define and explain each of these subdivisions of malware, will give you examples, and will explain some of the countermeasures that can be put into place to restrict the problems caused by malware.
Viruses (Virii)
Introduction Virus – this is the most common type of malware that people will be aware of. The reason that it is known as a virus, rather than anything else, is historical. The press ran the stories of the first computer virus at the same time as articles concerning the spread of AIDS. At the time, there were simple parallels that could be easily drawn between the two, propagation through interaction with a contaminated party, the reliance on a host and the ultimate “death” of anything infected. This resulted, and still does occasionally, in concerns that people could become “infected” with a computer virus.
Description Viruses or virii are self-replicating pieces of software that, similar to a biological virus, attach themselves to another program, or, in the case of “macro viruses”, to another file. The virus is only run when the program or the file is run or opened. It is this which differentiates viruses from worms. If the program or file is not accessed in any way, then the virus will not run and will not copy itself further. There are a number of types of viruses, although, significantly, the most common form today is the macro virus, and others, such as the boot sector virus are now only found “in captivity”.
Boot Sector Viruses The boot sector virus was the first type of virus created. It hides itself in the executable code at the beginning of bootable disks. This meant that in order to infect a machine, you needed to boot from an infected floppy disk. A long time ago, ( 15 years or so ) booting from floppy was a relatively regular occurrence, meaning that such viruses were actually quite well spread by the time that people figured out what was happening. This virus ( and all other types ) should leave a signature which subsequent infection attempts detect, so as not to repeatedly infect the same target. It is this signature that allows other software ( such as Anti-Virus-software ) to detect the infection.
The Executable File Virus The Executable File virus attaches itself to files, such as .exe or .com files. Some viruses would specifically look for programs which were a part of the operating system, and thus were most likely to be run each time the computer was turned on, increasing their chances of successful propagation. There were a few ways of adding a virus to an
5
MALWARE
executable file, some of which worked better than others. The simplest way ( and the least subtle ) was to overwrite the first part of the executable file with the virus code. This meant that the virus executed, but that the program would subsequently crash, leaving it quite obvious that there was an infection – especially if the file was an important system file.
The Terminate and Stay Resident (TSR) Virus TSR is a term from DOS where an application would load itself into memory, and then remain there in the background, allowing the computer to run as normal in the foreground. The more complex of these viruses would intercept system calls that would expose them and return false results - others would attach themselves to the 'dir' command, and then infect every application in the directory that was listed – a few even stopped ( or deleted ) Anti-Virus software installed onto the systems.
The Polymorphic Virus Early viruses were easy enough to detect. They had a certain signature to identify them, either within themselves as a method to prevent re-infection, or simply that they had a specific structure which it was possible to detect. Then along came the polymorphic virus. Poly – meaning multiple and morphic – meaning shape. These viruses change themselves each time they replicate, rearranging their code, changing encryption and generally making themselves look totally different. This created a huge problem, as instantly there were much smaller signatures that remained the same – some of the “better” viruses were reduced to a detection signature of a few bytes. The problem was increased with the release of a number of polymorphic kits into the virus writing community which allowed any virus to be recreated as a polymorph.
The Macro Virus The Macro Virus makes use of the built-in ability of a number of programs to execute code. Programs such as Word and Excel have limited, but very powerful, versions of the Visual Basic programming language. This allows for the automation of repetitive tasks, and the automatic configuration of specific settings. These macro languages are misused to attach viral code to documents which will automatically copy itself on to other documents, and propagate. Although Microsoft has turned off the feature by default now on new installations, it used to be that Outlook would automatically execute certain code attached to e-mails as soon as they were read. This meant that viruses were propagating very quickly by sending themselves to all of the e-mail addresses that were stored on the infected machine.
LESSON 6 – MALWARE
statistics regarding your web surfing, or it might be your credit card number. Some pieces of spyware blow their cover by rather irritatingly popping up advertisements all over your desktop.
8
Anti-Virus Anti-Virus-software is available in many commercial and Open Source versions. These all work following the same method. They each have a database of known viruses and they will match the signatures of these against the files on the system to see if there are any infections. Often though, with modern viruses, these signatures are very small, and there can often be false positives - things that appear to be viruses that are not. Some virus scanners employ a technique known as heuristics, which means that they have a concept of what a virus “looks like” and can determine if an unknown application matches these criteria. Recently AntiVirus software has also crossed the boundary into Host Based Intrusion Detection, by keeping a list of files and checksums in order to increase the speed of scanning.
NIDS Network intrusion detection is similar to AntiVirus software. It looks for a particular signature or behavior from a worm or virus. It can then either alert the user, or automatically stop the network traffic carrying the malware.
9
MALWARE
HIDS Host based Intrusion Detection systems, such as Tripwire, are capable of detecting changes made to files. It is reasonable to expect that an application, once it is compiled, should not need to change, so watching various aspects of it, such as its size, last modification date and checksum, make it instantly obvious that something is wrong.
Firewalls Worms propagate across the network by connecting to vulnerable services on each host. Apart from ensuring that none of these vulnerable services are running, the next best thing is to ensure that your firewall does not allow connections to these services. Many modern firewalls will provide some form of packet filtering similar to a NIDS which will rule out packets matching a certain signature. (Firewalls are discussed in more detail in section 7.1.2).
Sandboxes The concept of a sandbox is simple. Your application has its own little world to play in and can't do anything to the rest of your computer. This is implemented as standard in the Java programming language, and can also be implemented through other utilities such as chroot in Linux. This restricts the damage that any malware can do to the host operating system by simply denying it the access required. Another option is to run a full machine inside a machine using a virtual machine product such as VMWare. This isolates the virtual machine from the host operating system, only allowing access as defined by the user. Example – http://www.vmware.com – VMWare virtual machines
Exercises:
1. Matching Game: Research each of the following and match it to the type of countermeasure that it is: 1. http://www.vmware.com NIDS 2. http://www.tripwire.org Antivirus 3. http://www.snort.org Firewalls 4. http://www.checkpoint.com Sandboxes 5. http://www.sophos.com HIDS 2. Research Spybot Search and Destroy and determine what type of malware it protects your computer again. 3. Research how NIDs and HIDS works. 4. Research Firewall solutions on the net. 5. Look up “chroot” on the internet. Read about this type of “jail” or “sandbox”.
Viruses (Virii)
Introduction Virus – this is the most common type of malware that people will be aware of. The reason that it is known as a virus, rather than anything else, is historical. The press ran the stories of the first computer virus at the same time as articles concerning the spread of AIDS. At the time, there were simple parallels that could be easily drawn between the two, propagation through interaction with a contaminated party, the reliance on a host and the ultimate “death” of anything infected. This resulted, and still does occasionally, in concerns that people could become “infected” with a computer virus.
Description Viruses or virii are self-replicating pieces of software that, similar to a biological virus, attach themselves to another program, or, in the case of “macro viruses”, to another file. The virus is only run when the program or the file is run or opened. It is this which differentiates viruses from worms. If the program or file is not accessed in any way, then the virus will not run and will not copy itself further. There are a number of types of viruses, although, significantly, the most common form today is the macro virus, and others, such as the boot sector virus are now only found “in captivity”.
Boot Sector Viruses The boot sector virus was the first type of virus created. It hides itself in the executable code at the beginning of bootable disks. This meant that in order to infect a machine, you needed to boot from an infected floppy disk. A long time ago, ( 15 years or so ) booting from floppy was a relatively regular occurrence, meaning that such viruses were actually quite well spread by the time that people figured out what was happening. This virus ( and all other types ) should leave a signature which subsequent infection attempts detect, so as not to repeatedly infect the same target. It is this signature that allows other software ( such as Anti-Virus-software ) to detect the infection.
The Executable File Virus The Executable File virus attaches itself to files, such as .exe or .com files. Some viruses would specifically look for programs which were a part of the operating system, and thus were most likely to be run each time the computer was turned on, increasing their chances of successful propagation. There were a few ways of adding a virus to an
5
MALWARE
executable file, some of which worked better than others. The simplest way ( and the least subtle ) was to overwrite the first part of the executable file with the virus code. This meant that the virus executed, but that the program would subsequently crash, leaving it quite obvious that there was an infection – especially if the file was an important system file.
The Terminate and Stay Resident (TSR) Virus TSR is a term from DOS where an application would load itself into memory, and then remain there in the background, allowing the computer to run as normal in the foreground. The more complex of these viruses would intercept system calls that would expose them and return false results - others would attach themselves to the 'dir' command, and then infect every application in the directory that was listed – a few even stopped ( or deleted ) Anti-Virus software installed onto the systems.
The Polymorphic Virus Early viruses were easy enough to detect. They had a certain signature to identify them, either within themselves as a method to prevent re-infection, or simply that they had a specific structure which it was possible to detect. Then along came the polymorphic virus. Poly – meaning multiple and morphic – meaning shape. These viruses change themselves each time they replicate, rearranging their code, changing encryption and generally making themselves look totally different. This created a huge problem, as instantly there were much smaller signatures that remained the same – some of the “better” viruses were reduced to a detection signature of a few bytes. The problem was increased with the release of a number of polymorphic kits into the virus writing community which allowed any virus to be recreated as a polymorph.
The Macro Virus The Macro Virus makes use of the built-in ability of a number of programs to execute code. Programs such as Word and Excel have limited, but very powerful, versions of the Visual Basic programming language. This allows for the automation of repetitive tasks, and the automatic configuration of specific settings. These macro languages are misused to attach viral code to documents which will automatically copy itself on to other documents, and propagate. Although Microsoft has turned off the feature by default now on new installations, it used to be that Outlook would automatically execute certain code attached to e-mails as soon as they were read. This meant that viruses were propagating very quickly by sending themselves to all of the e-mail addresses that were stored on the infected machine.
LESSON 6 – MALWARE
statistics regarding your web surfing, or it might be your credit card number. Some pieces of spyware blow their cover by rather irritatingly popping up advertisements all over your desktop.
8
Anti-Virus Anti-Virus-software is available in many commercial and Open Source versions. These all work following the same method. They each have a database of known viruses and they will match the signatures of these against the files on the system to see if there are any infections. Often though, with modern viruses, these signatures are very small, and there can often be false positives - things that appear to be viruses that are not. Some virus scanners employ a technique known as heuristics, which means that they have a concept of what a virus “looks like” and can determine if an unknown application matches these criteria. Recently AntiVirus software has also crossed the boundary into Host Based Intrusion Detection, by keeping a list of files and checksums in order to increase the speed of scanning.
NIDS Network intrusion detection is similar to AntiVirus software. It looks for a particular signature or behavior from a worm or virus. It can then either alert the user, or automatically stop the network traffic carrying the malware.
9
MALWARE
HIDS Host based Intrusion Detection systems, such as Tripwire, are capable of detecting changes made to files. It is reasonable to expect that an application, once it is compiled, should not need to change, so watching various aspects of it, such as its size, last modification date and checksum, make it instantly obvious that something is wrong.
Firewalls Worms propagate across the network by connecting to vulnerable services on each host. Apart from ensuring that none of these vulnerable services are running, the next best thing is to ensure that your firewall does not allow connections to these services. Many modern firewalls will provide some form of packet filtering similar to a NIDS which will rule out packets matching a certain signature. (Firewalls are discussed in more detail in section 7.1.2).
Sandboxes The concept of a sandbox is simple. Your application has its own little world to play in and can't do anything to the rest of your computer. This is implemented as standard in the Java programming language, and can also be implemented through other utilities such as chroot in Linux. This restricts the damage that any malware can do to the host operating system by simply denying it the access required. Another option is to run a full machine inside a machine using a virtual machine product such as VMWare. This isolates the virtual machine from the host operating system, only allowing access as defined by the user. Example – http://www.vmware.com – VMWare virtual machines
Exercises:
1. Matching Game: Research each of the following and match it to the type of countermeasure that it is: 1. http://www.vmware.com NIDS 2. http://www.tripwire.org Antivirus 3. http://www.snort.org Firewalls 4. http://www.checkpoint.com Sandboxes 5. http://www.sophos.com HIDS 2. Research Spybot Search and Destroy and determine what type of malware it protects your computer again. 3. Research how NIDs and HIDS works. 4. Research Firewall solutions on the net. 5. Look up “chroot” on the internet. Read about this type of “jail” or “sandbox”.
DIFFERENT TYPES OF VIRUSES I BET U KNOW ONLY A FEW OF THEM
![DIFFERENT TYPES OF VIRUSES I BET U KNOW ONLY A FEW OF THEM]()
Reviewed by Shobhit Goel
on
August 27, 2015
Rating:
No comments:
Post a Comment