Chapter 17

Viruses

-A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes -can replicate themselves -copy themselves to other disks to spread to other computers -can be merely annoying or they can be vasaly destructive

What are Transmission Patterns?

-Not confined to a single medium or execution pattern -example: virus arrives on a disk or from the network, travels to a hard disk boot sector, reemerges when computer is next booted -renames in memory to infect other desks

Trojan Horse malware

-Program that has the appearance of having useful and/or desired function -Does not replicate or copies itself but causes damage or compromises the security of the computer -must be sent by someone it carried by another program and may arrive in the form of a joke program or software -often use to capture logins and passwords

What is an Anti-spyware program?

-Type of program designed to prevent and detect unwanted spyware programs installations and to remove those programs if installed

What are storage patterns?

-Virus attaches itself to a file and changes its size -virus obliterates all or part of the underlying program, not affecting its size, but impairing its function

What is a Firewall?

-a firewall blocks attempts to access your files over a network or internet connection -that will block incoming attacks -your computer can become infected though a shared disk or even from another computer on the network -so you need to monitor what your computer is putting out over the network on internet

What is an Encrypted Virus?(concealment strategy)

-a portion of virus creates a random encryption key and encrypts the remainder of the virus -the key is stored with the virus -when the virus replicates, a different random key is generated

Why has the use of ransomware gone up?

- money -ransomware as a service -hard to catch the criminal

Malware

-"Malicious Software" is used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. -It can appear in the form of code, scripts, active content, and other software -general term referring to a variety of forms of hostile, intrusive, or annoying software

Trapdoor/Backdoor malware

-a secret, undocumented entry point into a module which allows a specialized access -the trapdoor is inserted during code development, test the modules, then allow access in events of error -Trapdoor are vulnerabilities because the expose the system to modification during execution -programmer usually removes trapdoors during program development but sometimes can forget to remove them, leaves them in program for testing, or as a covert means of access to the routine after it becomes an accepted production program

how to viruses gain control?

-a virus changes the pointers in the file table so that V is located instead of T whenever T is accessed through the file system

Adware (malware)

-a.k.a advertising- supported software -automatically delivers advertisements -common examples of adware include pop-up ads on websites and advertisements that are displayed by software -often times software and applications offer "free" versions that come bundled with adware

What are major Homes for viruses in a computer?

-boot sector -memory -application programs -libraries

Rootkits

-clandestine computer program designed to provide continued privilege access to a computer while actively hiding its presence -the term comes from the two words "root" and "kit". -pre-packaged software to hide malware -freely obtainable -insert hooks into system, kernel -trap programs calls to list directory contents, running processes, registry entries

Why does a virus attack libraries?

-desirable home for viruses -used by many programs -shared between users -spreads infections to compliers, linkers, runtime debuggers, etc.

ransomware (malware)

-essentially holds a computer captive while demanding ransom -restricts user access to the computer either by encrypting files on the hard drive or locking down the system and displaying messages that are intended to force the user to pay malware creator to remove the restrictions and regain access to their computer

What is a stealth virus?(concealment strategy)

-explicitly designed to hide from virus scanning programs

what are the symptoms of malware?

-increase CPU storage -Slow computer or web browser speed -problems connecting to networks -freezing or crashing -modified or deleted files -appearance of strange files, programs or icons -programs running by themselves -strange computer behavior

What are the three parts of a virus?

-infection mechanism -trigger -payload

What is a file-infector virus?(basis of target)

-infects executable files -also called parasitic viruses because they attach their self to executable files as part of their code -runs whenever the host program is executed

What is the macro virus?(basis of target)

-infects files with macro code that is interpreted by the relevant application, such as doc or excel files

What is a boot sector virus?(basis of target)

-infects master boot record -boot record (boot sector) of a disk and spreads when a system is booted with an infected disk -they are memory-resident viruses

what do you do if a ransom notice pops up

-kill the suspicious programs -change file extensions to uninteresting extensions

how to detect Rootkits

-look for the hooks -look for known files names, processes -look for what's being hidden -difficult to do, getting more difficult -tools exist to do this, but most don't detect everything -hot topic of research in the field

Computer Spyware

-malware installed on computers that collects information about users without their knowledge -the presence of spyware is typically hidden from the user and can be difficult to detect -spyware programs lurk in your computer to steal important information, like your passwords and logins and other personal information and then sends it to someone else

What is a polymorphic virus?(concealment strategy)

-mutates with every new host to prevent signature detection, signature detection is useless

Botnets/Zombie Malware

-programs that take control of your computer and use it and its internet connection to attack other computers or networks or to preform criminal activities -"the single greatest threat facing humanity" -Quickly becoming a top problem on campus -hordes of infected "drone" hosts -used for spam relay, DDOS, scanning , infection

What is an Antivirus program?

-protective software designed to defend you computer against malicious software -in order to be ab effective defense, the antivirus software needs to run in the background at all times, and should be kept updated so it recognizes new versions of malicious software

What is a metamorphic virus?(concealment strategy)

-rewrites itself completely with every new host -may change their behavior and appearance

Computer Worm

-self-replication computer program -it uses a network to send copies of itself to other nodes (computers on network) and it may do so without any user intervention -does not need to attach itself to an existing program

How to Botnets get spread

-spreading via IM, email, compromise -installs remote-control software -connects to central server to announce presence and await commands -allows "botmaster" to control 100, 1000, 10000+ infected hosts with simple commands -continually evolving -network connections are intiated by the drone hosts -uses common protocols: HTTP, IRC, FTP -starting to see stealth techniques employed to hide infection (rootkits), communications (SSL, steganography) -tremendous incentives for botmasters to grow, maintain, defend their horde -you don't want this on your computer

What is a virus signature?

-the executions and spreading characteristics of a virus have certain telltale patterns -virus signatures are used by virus scanners to detect the virus -storage patterns, execution patterns, transmission programs

What is a boot sector?

-the portion of a disk reserved for the bootstrap loader (the self starting portion) of an operating system -the boot sector typically contains a short machine language program that loads the operating system

What is an Anti-spam program?

-tries to identify useless or dangerous messages

How does a virus scanner detect storage patterns?

-use codes or checksum to detect changes to a file -look for suspicious patterns such as a JUMP instruction as the first instruction of a system program

Preventing Virus infections

-use only commercial software acquired from reliable, well established vendors -test all new software on an isolated computer -make a bootable disk and store is safely -make and retain backup copies of executable system files -use virus detectors regularly

What is an Anti-Malware program?

-used to prevent, detect, and remove computer viruses, worms, Trojan horses, and any other type of malware -antivirus program, anti-spyware, anti-spam, firewall

What is a memory resident virus?

-virus attaches itself to memory resident code -virus is activated many times while the machine is running -once activated it looks for and infects uninfected carriers

Why does a virus attack the boot sector?

-virus gains control very early in the boot process before most detection tools are active -operating systems usually make files in the boot area invisible to the user so the virus code is not readily noticed

Why does a virus attack application programs?

-virus macro adds itself to start up directives -virus embeds itself in data files

Usage of Malware

-were first written as experiments or pranks -used primarily to steal sensitive personal, financial, or business information for the benefit of others.

First major case of Ransomware

2013, Cryptolocker (operation Tovar)

What are the types of Malware?

Viruses, Trojan horses, worms, spyware, zombie, trapdoor/backdoor, Rootkits, adware, ransomware

what is a virus?

a program that can pass malicious code to other non malicious programs by modifying them

List examples of computer Viruses

macro virus, boot virus, logic bomb virus, directory virus, resident virus

How does malware spread?

malware is a program that must be triggered ort somehow executed before it can infect your computer system and spread to others (social network, pirated software, removable media, emails, websites)

If your computer is infected DO NOT...

pay ransom, lose the files

What is Police Ransomware/ FBI Ransomware

ransomware impersonates law enforcement

if your computer is infected DO...

restore files, recover files

Viruses that replace a program

virus code replaces the target, wither mimicking the effects of the target or ignoring the expected effect of the target and performing only the virus effect

Viruses that surround a program

virus code runs the original program but have control before an after its excitation

appended viruses

virus code that attaches itself to a program and is activated whenever the program is run

Integrated Viruses

virus program replaces some of its target, integrating itself into the original code of the target

who gets hit with ransomware?

Hospitals, police, san Francisco transport system, Las Vegas,

What are some of the deadliest computer viruses of all time

ILOVEYOU, code red, MyDoom, Slammer