written 8.5 years ago by
teamques10
★ 68k
|
•
modified 8.5 years ago
|
- Malicious software can be divided into two categories: Those that need a host program and those that are independent.
- The former are essentially fragments of programs that can’t exist independently of some actual application program, utility or system program. Examples: Viruses, Logic bombs and backdoors.
- The latter are self-contained programs that can be scheduled and run by the operating system. Examples: Worms and Zombie programs.
A virus is a piece of software that can “infect” other programs by modifying them. The modification includes a copy of the virus program, which then can go to infect other programs.
i. A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run.
ii. Once a virus is executing, it can perform any function such as erasing files and programs.
iii. Most viruses carry out their work in a manner that is specific to6a particular operating system and in some cases specific to a particular hardware platform. Thus they are designed to take advantage of the details and weaknesses of particular systems.
iv. A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion. The key to it’s operation is that the infected program, when invoked, will first execute the virus code and then execute the original code of the program.
v. During it’s lifetime a typical virus goes through following 4 phases:
- Dominant Phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit.
- Propagation Phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk.
- Triggering Phase: The virus is activated to perform the function for which it was intended.
- Execution Phase: The function is performed. The function may be harmless of damaging.
Types of viruses:
i. Parasitic Virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable and replicates when the infected program is executed.
ii. Memory resident Virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes.
iii. Boot-Sector Virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
iv. Stealth Virus: A form of virus explicitly designed to hide itself from detection by antivirus software.
v. Polymorphic Virus: A virus that mutates with every infection, making detection by the “signature” of the virus impossible.
vi. Metamorphic Virus: A metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behaviour as well as their appearance.
Examples of recent viruses:
i. Macro viruses:
- Macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents. Any hardware platform and operating system that supports word can be infected.
- Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of a document rather than a program.
- Macro viruses are easily spread. A very common method is by e-mail.
ii. E-Mail viruses:
A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the recipient opens the e-mail attachment, the word macro is activated. Then,
- The e-mail virus sends itself to everyone on the mailing list in the user’s email package.
- The virus does local damage.
iii. Worms:
- A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again.
- In addition to propagation, the worm usually performs some unwanted function. An e-mail virus has some of the characteristics, of a worm, because it propagates itself from system to system. A worm actively seeks out more machines launching pad for attacks on other machines.
- Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.
iv. State of worm technology
- Multiplatform: Worms are not limited to windows machines but can attack a variety of platforms, especially the popular varieties of UNIX.
- Multiexploit: New worms penetrate systems in a variety of ways, using exploits against web servers, browsers, e-mail, file sharing and other network based applications.
- Ultrafast Spreading: One technique to accelerate the spread of a worm is to conduct a prior internet scan to accumulate internet addresses of vulnerable machines.
- Polymorphic: To evade detection, skip past filters and foil real-time analysis, worms adopt the virus polymorphic technique. Each copy of the worm has new code generated on the fly using functionality equivalent instructions and encryption techniques.
- Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of behaviour pattern that are unleashed at different stages of propagation.
- Transport Vehicles: Because worms can rapidly compromise a large no.of systems, they are ideal for spreading other distributed attack tools, such as distributed denial of service zombies.
- Zero-Day exploit: To achieve maximum surprise and distribution, a worm should exploit an unkown vulnerability that is only discovered by the general network community when the worm is launched.