Embed Size (px)
Citation preview
VIRUSESPerformance by
Ing. Ana Cecilia Rodríguez Cepeda
Types of Viruses • Computer viruses are often classified according to diverse criteria.
– Resident– Direct Action– Overwrite– Boot– Macro– Directory– Encrypted– PolymorphicMultipartites– File Infectors– Companion– FAT– Worms– Trojans– Logic Bombs– False Viruses
Virus, worms, Trojans and backdoors
• Along with viruses, there are three other types of damaging programs which are the bane of all computer users worldwide: Trojans, worms and backdoors.
• Although they have similar effects to viruses, these programs have clearly distinguishing characteristics.
VIRUS
• Is a program that can enter a computer in many different ways and can cause effects ranging from the simply annoying to the highly destructive. Viruses can enter computers through e-mail, the Internet, different types of disks etc, and they have the following characteristics:
• They have the ability to reproduce infecting other files and programs.
• • When they are run, they are able to
carry out a range of annoying or damaging actions in your computer.
• Computer viruses are called viruses due to their similarities with biological viruses.
• In the same way that biological viruses enter the body and infect cells, computer viruses get into computers and infect files.
• Both types of virus can reproduce themselves and spread, passing the infection from one infected system to another. Also, just as a biological virus is a micro-organism, computer viruses are micro-programs.
Worms
• A worm is a program very similar to a virus. It has the ability to self-replicate, and can lead to negative effects on your system. However, worms do not need to infect other files in order to reproduce.
• Worms, unlike viruses, simply replicate themselves damaging files, but can reproduce rapidly, saturating a network and causing it to collapse. Normally sent via e-mail, some of the most notorious include: I Love You, Navidad, Pretty Park, Happy99 and Explore Zip
Trojans • Another unsavory breed of virus are Trojans or Trojan horses,
which unlike viruses do not reproduce by infecting other files nor do they self-replicate like worms.
• Trojans work in a similar way to their mythological namesake, the famous wooden horse in which Greek soldiers hid so that they could enter the city of Troy undetected. They appear to be harmless programs that enter a computer through any channel. When that program is executed (they have names or characteristics which trick the user into doing so), they install other programs on the computer that can be harmful.
• A Trojan may not activate its effects at first, but when they do, they can wreak havoc on your system. They have the capacity to delete files, destroy information on your hard drive and open up a backdoor to your security system. This gives them complete access to your system allowing an outside user to copy and resend confidential information.
• Some examples of Trojans are Backdoor, Donald Dick, Crack2000, Extacis, KillCMOS and Netbus.
Backdoors
• A backdoor is a program that can get into computers without user realizing, passing itself off as a harmless program. Once it has been run, it opens a backdoor through which it can control the affected computer. This allows a malicious user to carry out actions on the affected computer that can compromise user confidentiality or impede the operations carried out.
• The actions that backdoor allow malicious users to carry out can be extremely damaging. They could allow them to delete files or destroy all the information on the hard disk, capture confidential data and send it out to an external address or open communications ports, allowing remote control of the computer.
• Some examples of backdoor are: Orifice2K.sfx, Bionet.318, Antilam and Subseven.213.
Spyware, Adware and Dialers
Spyware • Spyware are computer applications that collect
information about users browsing activity, preferences and interests. The data collected is sent to the creator of the application or third-parties, either directly or after being stored on the computer.
• Spyware can be installed on computers in many different ways, including Trojan which install them without the users permission; when visiting web pages with certain ActiveX controls or code that exploits certain vulnerabilities; shareware or freeware applications downloaded from the Internet, etc.
• Spyware can be installed with the user consent and awareness, but sometimes it is not. The same happens with the knowledge or lack of knowledge regarding data collected and the way it is used.
Adware • Adware is a term used to refer to Advertising Software,
i.e., programs that display advertisements. • Adware refers to software that displays advertisements
using any means: pop-up windows, banners, changes to the browser home page or search page, etc. These advertisements can be associated to the products or services offered by the creator of the adware or third-parties.
• Adware can be installed with the user consent and awareness, but sometimes it is not. The same happens with the knowledge or lack o knowledge regarding its functionalities.
Dialer • This is a program that can,
without users' knowing, disconnect the telephone connection to the Internet and redial another one such as a premium-rate number, with the obvious consequences on the user's telephone bill.
Cookie• Cookies are small text files stored in the browser on the users' computer,
when visiting web pages.
• Cookies store information that can be used for several purposes: – To personalize web pages to the preferences of each user. – To gather demographic information about how many users visit the page and
how long they spend viewing it. – To monitor which banners are displayed to the user and for how long.
• The uses are not, in theory at least, malicious. • However, remember that all personal information entered on a web page
can be stored on cookie, including credit card numbers, etc. • Cookies can also be used to create user profiles with information that the
user is unaware of, and sent to third parties. This information is transmitted to third parties, such as advertisers or others who could be interested in this sort of data, and represents a serious intrusion upon the individual's privacy.
Spam • Spam is unsolicited email, normally with an
advertising content sent out as a mass mailing.
• The term spam is derived from spiced ham, the first tinned meat product that did not need to be kept in a refrigerator. Its use spread as a result, becoming part of the communal meals of the United Status and Russian armies during the Second World War.
• Some of the most common characteristics these types of email messages have are: – The address that appears as that of the message sender
is unknown to the user and is quite often spoofed. – The message does not often have a Reply address. – An eye-catching subject is presented. – It has advertising content: website advertisements, ways
to make money easily, miracle products, property offers, or simply lists of products on special offer.
What is a vulnerability? • A vulnerability represents a weak point though
which the security of a computer can be breached. A vulnerability is a programming error in an application that can be exploited to gain access to the computer with that program installed.
• Generally, this programming error refers to operations that cause the application to malfunction. This bug can be reproduced artificially by a malicious user in order to gain access to computers without the user's permission. Sometimes, this can be done by simply opening a specially crafted document.
• This would allow a malicious user to carry out a wide range of actions on the vulnerable computer, for example, running or deleting files, inserting viruses, accessing information, etc.
What do viruses infect? • The main targets of a virus are program
files (files with an EXE or COM extension), which can be run to perform specific operations. Increasingly other types of files and documents can also be infected such as web pages (HTML), Word documents (DOC), Excel spreadsheets (XSL), etc.
• If a file becomes infected, it may behave in a completely different way than before. The consequences of an infection to the system can therefore vary enormously.
• As files are often stored on disks or drives (hard drive, CD-ROM, DVD, diskettes, etc.) the damage caused by the virus may also affect these elements.
Transmission and Camouflage Techniques
Transmission • Some of the more common ways for viruses and other
threats to spread include:– Attaching HTML code in the AutoSignature of e-mail
messages. – Installing and activating the virus when messages are
viewed in the Preview Pane. – Sending code that, when the user opens an infected
message, causes the execution of the infected file. – Exploiting flaws or vulnerabilities in Internet Explorer and
the Outlook and Outlook Express mail clients. – Using network drives and directories to access information
and resources shared by users. – Hiding in online file-sharing networks like Gnutella.
• General strategies used to spread viruses and other threats include gaining the confidence of users or deceiving people into downloading a file that appears to contain music, images, documents of interest etc. but is in fact infected.
Camouflage Techniques • Viruses disguise themselves from antiviruses and other security
devices using a host of complex techniques:
– Stealth. Viruses that use this technique hide the normal characteristics that would indicate their presence.
• For example, the size of the file will normally increase when it is infected. However, by only inserting code in free file sections, this type of virus tricks the system by making it seem that the file size has not changed.
• During file infections the date and time are registered as file modifications. However, when these viruses infect a file, they do not make such changes and the file date and time information will remain as it was before the infection.
Vulnerabilities • Vulnerabilities are weaknesses or security holes in certain applications or software
programs.• Attacks exploiting vulnerabilities have increased in frequency, especially those
preying on the more commonly used programs and operating systems. Some of the most recent ones include:
• Internet Explorer Vulnerabilities.– Cross-site scripting. Affects Internet Explorer (versions 5.01, 5.5 and 6.0),
spreading viruses to users by executing malicious code through a web page or through e-mail in HTML format.
– Additional Information: Microsoft Security Bulletin MS02-023.– Solution: Available on Microsoft website, under Knowledge Base article
Q321323 and under Windows Update.– XMLHTTP Control Can Allow Access to Local Files. Allows access to local files
by sending and receiving XML data in HTTP format. The problem arises from the way the XMLHTTP control configures Internet Explorer, giving access to local files.
– Additional Information: Microsoft Security Bulletin MS02-008.– Solution: Available on Microsoft website under Knowledge Base article
Q317244.– Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files.
Permits an attacker to access frames in other domains through web pages or e-mails in HTML format. Internet Explorer does not correctly recognize the domain when using code written in Visual Basic Script programming language, making it possible for an attacker to access confidential information.
Threat Level • The criteria used determine the threat
presented by a virus or other threat depends on: its distribution and the damage it can cause. Discover the new innovations in this gauge.
• Low threat: the virus is neither damaging nor widely spread.
• Moderate threat: the virus is either fairly widely spread and causes significant damage or not widely spread but causes serious damage.
• High threat: the virus is either very widespread and causes damage or relatively widespread and seriously damaging.
• Severe threat: the virus is widely spread and the virus is very damaging.
Symptoms and effects
• How do you know if a virus has hit you?
• It can be difficult to tell if a virus has infected your computer, which is why it is necessary to have a reliable antivirus installed.
• The following are symptoms to look for which indicate the possible presence of a virus (although the problem may not be due to a virus).
• Unusually slow processing in the normal functions of the computer with no apparent cause. This can be caused by having too many programs open, problems with the network, but also by a virus infection.
• • Not being able to open certain files or work with certain programs where a
virus may have erased all or part of the data necessary to open the program.
• • Unexplained missing files and folders is another common side effect of
viruses.
• Not being able to open certain files. Viruses can also alter files, making it impossible to view them, causing an error message to appear.
• Bogus warnings or text displayed on screen. These will often contain unusual messages (jokes, insults, obscenities etc).
• Sudden reduction in disk space or memory capacity may be an indication of viruses, as they can sometimes consume all available free space. In these cases, warnings will appear indicating that there is no disk space.
• Some viruses can affect the normal functioning of disk drives, causing problems when saving files or performing other operations involving the hard disk.
Tips for all users • Basic steps to protect you from viruses.
– Use your antivirus correctly and make sure to update it regularly.
– Install a reliable firewall.– Make regular back-up copies of your system
files.– Update software applications with
manufacturers' patches. – Always act with caution when reading e-mail
and handling suspicious files.
Tips for Network Administrators • Analyze your risk factor and set up a
security strategy.• Install a good antivirus across the entire
network and keep it updated.• Make regularback-ups.• Keep up-to-date on the latest IT security
news.• Create a security policy in the company.
