Chapter 17
Viruses
-A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes -can replicate themselves -copy themselves to other disks to spread to other computers -can be merely annoying or they can be vasaly destructive
What are Transmission Patterns?
-Not confined to a single medium or execution pattern -example: virus arrives on a disk or from the network, travels to a hard disk boot sector, reemerges when computer is next booted -renames in memory to infect other desks
Trojan Horse malware
-Program that has the appearance of having useful and/or desired function -Does not replicate or copies itself but causes damage or compromises the security of the computer -must be sent by someone it carried by another program and may arrive in the form of a joke program or software -often use to capture logins and passwords
What is an Anti-spyware program?
-Type of program designed to prevent and detect unwanted spyware programs installations and to remove those programs if installed
What are storage patterns?
-Virus attaches itself to a file and changes its size -virus obliterates all or part of the underlying program, not affecting its size, but impairing its function
What is a Firewall?
-a firewall blocks attempts to access your files over a network or internet connection -that will block incoming attacks -your computer can become infected though a shared disk or even from another computer on the network -so you need to monitor what your computer is putting out over the network on internet
What is an Encrypted Virus?(concealment strategy)
-a portion of virus creates a random encryption key and encrypts the remainder of the virus -the key is stored with the virus -when the virus replicates, a different random key is generated
Why has the use of ransomware gone up?
- money -ransomware as a service -hard to catch the criminal
Malware
-"Malicious Software" is used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. -It can appear in the form of code, scripts, active content, and other software -general term referring to a variety of forms of hostile, intrusive, or annoying software
Trapdoor/Backdoor malware
-a secret, undocumented entry point into a module which allows a specialized access -the trapdoor is inserted during code development, test the modules, then allow access in events of error -Trapdoor are vulnerabilities because the expose the system to modification during execution -programmer usually removes trapdoors during program development but sometimes can forget to remove them, leaves them in program for testing, or as a covert means of access to the routine after it becomes an accepted production program
how to viruses gain control?
-a virus changes the pointers in the file table so that V is located instead of T whenever T is accessed through the file system
Adware (malware)
-a.k.a advertising- supported software -automatically delivers advertisements -common examples of adware include pop-up ads on websites and advertisements that are displayed by software -often times software and applications offer "free" versions that come bundled with adware
What are major Homes for viruses in a computer?
-boot sector -memory -application programs -libraries
Rootkits
-clandestine computer program designed to provide continued privilege access to a computer while actively hiding its presence -the term comes from the two words "root" and "kit". -pre-packaged software to hide malware -freely obtainable -insert hooks into system, kernel -trap programs calls to list directory contents, running processes, registry entries
Why does a virus attack libraries?
-desirable home for viruses -used by many programs -shared between users -spreads infections to compliers, linkers, runtime debuggers, etc.
ransomware (malware)
-essentially holds a computer captive while demanding ransom -restricts user access to the computer either by encrypting files on the hard drive or locking down the system and displaying messages that are intended to force the user to pay malware creator to remove the restrictions and regain access to their computer
What is a stealth virus?(concealment strategy)
-explicitly designed to hide from virus scanning programs
what are the symptoms of malware?
-increase CPU storage -Slow computer or web browser speed -problems connecting to networks -freezing or crashing -modified or deleted files -appearance of strange files, programs or icons -programs running by themselves -strange computer behavior
What are the three parts of a virus?
-infection mechanism -trigger -payload
What is a file-infector virus?(basis of target)
-infects executable files -also called parasitic viruses because they attach their self to executable files as part of their code -runs whenever the host program is executed
What is the macro virus?(basis of target)
-infects files with macro code that is interpreted by the relevant application, such as doc or excel files
What is a boot sector virus?(basis of target)
-infects master boot record -boot record (boot sector) of a disk and spreads when a system is booted with an infected disk -they are memory-resident viruses
what do you do if a ransom notice pops up
-kill the suspicious programs -change file extensions to uninteresting extensions
how to detect Rootkits
-look for the hooks -look for known files names, processes -look for what's being hidden -difficult to do, getting more difficult -tools exist to do this, but most don't detect everything -hot topic of research in the field
Computer Spyware
-malware installed on computers that collects information about users without their knowledge -the presence of spyware is typically hidden from the user and can be difficult to detect -spyware programs lurk in your computer to steal important information, like your passwords and logins and other personal information and then sends it to someone else
What is a polymorphic virus?(concealment strategy)
-mutates with every new host to prevent signature detection, signature detection is useless
Botnets/Zombie Malware
-programs that take control of your computer and use it and its internet connection to attack other computers or networks or to preform criminal activities -"the single greatest threat facing humanity" -Quickly becoming a top problem on campus -hordes of infected "drone" hosts -used for spam relay, DDOS, scanning , infection
What is an Antivirus program?
-protective software designed to defend you computer against malicious software -in order to be ab effective defense, the antivirus software needs to run in the background at all times, and should be kept updated so it recognizes new versions of malicious software
What is a metamorphic virus?(concealment strategy)
-rewrites itself completely with every new host -may change their behavior and appearance
Computer Worm
-self-replication computer program -it uses a network to send copies of itself to other nodes (computers on network) and it may do so without any user intervention -does not need to attach itself to an existing program
How to Botnets get spread
-spreading via IM, email, compromise -installs remote-control software -connects to central server to announce presence and await commands -allows "botmaster" to control 100, 1000, 10000+ infected hosts with simple commands -continually evolving -network connections are intiated by the drone hosts -uses common protocols: HTTP, IRC, FTP -starting to see stealth techniques employed to hide infection (rootkits), communications (SSL, steganography) -tremendous incentives for botmasters to grow, maintain, defend their horde -you don't want this on your computer
What is a virus signature?
-the executions and spreading characteristics of a virus have certain telltale patterns -virus signatures are used by virus scanners to detect the virus -storage patterns, execution patterns, transmission programs
What is a boot sector?
-the portion of a disk reserved for the bootstrap loader (the self starting portion) of an operating system -the boot sector typically contains a short machine language program that loads the operating system
What is an Anti-spam program?
-tries to identify useless or dangerous messages
How does a virus scanner detect storage patterns?
-use codes or checksum to detect changes to a file -look for suspicious patterns such as a JUMP instruction as the first instruction of a system program
Preventing Virus infections
-use only commercial software acquired from reliable, well established vendors -test all new software on an isolated computer -make a bootable disk and store is safely -make and retain backup copies of executable system files -use virus detectors regularly
What is an Anti-Malware program?
-used to prevent, detect, and remove computer viruses, worms, Trojan horses, and any other type of malware -antivirus program, anti-spyware, anti-spam, firewall
What is a memory resident virus?
-virus attaches itself to memory resident code -virus is activated many times while the machine is running -once activated it looks for and infects uninfected carriers
Why does a virus attack the boot sector?
-virus gains control very early in the boot process before most detection tools are active -operating systems usually make files in the boot area invisible to the user so the virus code is not readily noticed
Why does a virus attack application programs?
-virus macro adds itself to start up directives -virus embeds itself in data files
Usage of Malware
-were first written as experiments or pranks -used primarily to steal sensitive personal, financial, or business information for the benefit of others.
First major case of Ransomware
2013, Cryptolocker (operation Tovar)
What are the types of Malware?
Viruses, Trojan horses, worms, spyware, zombie, trapdoor/backdoor, Rootkits, adware, ransomware
what is a virus?
a program that can pass malicious code to other non malicious programs by modifying them
List examples of computer Viruses
macro virus, boot virus, logic bomb virus, directory virus, resident virus
How does malware spread?
malware is a program that must be triggered ort somehow executed before it can infect your computer system and spread to others (social network, pirated software, removable media, emails, websites)
If your computer is infected DO NOT...
pay ransom, lose the files
What is Police Ransomware/ FBI Ransomware
ransomware impersonates law enforcement
if your computer is infected DO...
restore files, recover files
Viruses that replace a program
virus code replaces the target, wither mimicking the effects of the target or ignoring the expected effect of the target and performing only the virus effect
Viruses that surround a program
virus code runs the original program but have control before an after its excitation
appended viruses
virus code that attaches itself to a program and is activated whenever the program is run
Integrated Viruses
virus program replaces some of its target, integrating itself into the original code of the target
who gets hit with ransomware?
Hospitals, police, san Francisco transport system, Las Vegas,
What are some of the deadliest computer viruses of all time
ILOVEYOU, code red, MyDoom, Slammer