P. 1
Computer virus - Unabridged Guide

Computer virus - Unabridged Guide


|Views: 723|Likes:
Published by Emereo Publishing
Complete, Unabridged Guide to Computer virus. Get the information you need--fast! This comprehensive guide offers a thorough view of key knowledge and detailed insight. It's all you need. Here's part of the content - you would like to know it all? Delve into this book today!..... : Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious. ...The advantage of using such slow polymorphic code is that it makes it more difficult for antivirus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. ... One may also minimize the damage done by viruses by making regular backups of data (and the operating systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. ...User data can be restored by booting from a live CD, or putting the hard drive into another computer and booting from its operating system, using great care not to infect the second computer by executing any infected programs on the original drive; and once the system has been restored precautions must be taken to avoid reinfection from a restored executable file. There is absolutely nothing that isn't thoroughly covered in the book. It is straightforward, and does an excellent job of explaining all about Computer virus in key topics and material. There is no reason to invest in any other materials to learn about Computer virus. You'll understand it all.Inside the Guide: Computer virus, Linux malware, Leonard Adleman, Keystroke logging, Kaspersky Lab, Jussi Parikka, J. B. Gunn, Internet security, Heuristic analysis, Get a Mac, Fred Cohen, Firewall (computing), Email, Elk Cloner, David Gerrold, Cryptovirology, Creeper (program), Computer worm, Computer surveillance, Computer insecurity, Compression virus, Component Object Model, COM file, Botnet, Boot sector, Bliss (virus), Backup, Assembly language, Antivirus software
Complete, Unabridged Guide to Computer virus. Get the information you need--fast! This comprehensive guide offers a thorough view of key knowledge and detailed insight. It's all you need. Here's part of the content - you would like to know it all? Delve into this book today!..... : Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious. ...The advantage of using such slow polymorphic code is that it makes it more difficult for antivirus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. ... One may also minimize the damage done by viruses by making regular backups of data (and the operating systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. ...User data can be restored by booting from a live CD, or putting the hard drive into another computer and booting from its operating system, using great care not to infect the second computer by executing any infected programs on the original drive; and once the system has been restored precautions must be taken to avoid reinfection from a restored executable file. There is absolutely nothing that isn't thoroughly covered in the book. It is straightforward, and does an excellent job of explaining all about Computer virus in key topics and material. There is no reason to invest in any other materials to learn about Computer virus. You'll understand it all.Inside the Guide: Computer virus, Linux malware, Leonard Adleman, Keystroke logging, Kaspersky Lab, Jussi Parikka, J. B. Gunn, Internet security, Heuristic analysis, Get a Mac, Fred Cohen, Firewall (computing), Email, Elk Cloner, David Gerrold, Cryptovirology, Creeper (program), Computer worm, Computer surveillance, Computer insecurity, Compression virus, Component Object Model, COM file, Botnet, Boot sector, Bliss (virus), Backup, Assembly language, Antivirus software

More info:

Published by: Emereo Publishing on Dec 24, 2012
Copyright:Traditional Copyright: All rights reservedISBN:9781486429882
List Price: $16.78


Read on Scribd mobile: iPhone, iPad and Android.
This book can be read on up to 6 mobile devices.
Full version available to members
See more
See less





  • Computer virus
  • Adware
  • Antivirus software
  • Assembly language
  • Backup
  • Bliss (virus)
  • Boot sector
  • Botnet
  • COM file
  • Component Object Model
  • Compression virus
  • Computer insecurity
  • Computer security
  • Computer surveillance
  • Computer worm
  • Creeper (program)
  • Cryptovirology
  • Article Sources and Contributors
  • Image Sources, Licenses and Contributors
  • License

Topic relevant selected content from the highest rated entries, typeset, printed and shipped.

Combine the advantages of up-to-date and in-depth knowledge with the convenience of printed books. A portion of the proceeds of each book will be donated to the Wikimedia Foundation to support their mission: to empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it e ectively and globally. e content within this book was generated collaboratively by volunteers. Please be advised that nothing found here has necessarily been reviewed by people with the expertise required to provide you with complete, accurate or reliable information. Some information in this book maybe misleading or simply wrong. e publisher does not guarantee the validity of the information found here. If you need speci c advice (for example, medical, legal, nancial, or risk management) please seek a professional who is licensed or knowledgeable in that area. Sources, licenses and contributors of the articles and images are listed in the section entitled “References”. Parts of the books may be licensed under the GNU Free Documentation License. A copy of this license is included in the section entitled “GNU Free Documentation License” All used third-party trademarks belong to their respective owners.

Computer virus Adware Antivirus software Assembly language Backup Bliss (virus) Boot sector Botnet COM file Component Object Model Compression virus Computer insecurity Computer surveillance Computer worm Creeper (program) Cryptovirology 1 11 13 23 35 46 46 49 56 59 71 72 78 82 85 86

Article Sources and Contributors Image Sources, Licenses and Contributors 89 92

Article Licenses
License 93

Computer virus


Computer virus
A computer virus is a computer program that can replicate itself[1] and spread from one computer to another. The term "virus" is also commonly, but erroneously, used to refer to other types of malware, including but not limited to adware and spyware programs that do not have a reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most rootkits, spyware, dishonest adware and other malicious or unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves. An example of a virus which is not a malware, but is putatively benevolent, is Fred Cohen's theoretical compression virus.[2] However, antivirus professionals do not accept the concept of benevolent viruses, as any desired function can be implemented without involving a virus (automatic compression, for instance, is available under the Windows operating system at the choice of the user). Any virus will by definition make unauthorised changes to a computer, which is undesirable even if no damage is done or intended. On page one of Dr Solomon's Virus Encyclopaedia, the undesirability of viruses, even those that do nothing but reproduce, is thoroughly explained.[1]

Academic work
The first academic work on the theory of computer viruses (although the term "computer virus" was not used at that time) was done in 1949 by John von Neumann who gave lectures at the University of Illinois about the "Theory and Organization of Complicated Automata". The work of von Neumann was later published as the "Theory of self-reproducing automata". In his essay von Neumann described how a computer program could be designed to reproduce itself.[3] Von Neumann's design for a self-reproducing computer program is considered the world's first computer virus, and he is considered to be the theoretical father of computer virology.[4] In 1972 Veith Risak, directly building on von Neumann's work on self-replication, published his article "Selbstreproduzierende Automaten mit minimaler Informationsübertragung" (Self-reproducing automata with minimal information exchange).[5] The article describes a fully functional virus written in assembler language for a SIEMENS 4004/35 computer system. In 1980 Jürgen Kraus wrote his diplom thesis "Selbstreproduktion bei Programmen" (Self-reproduction of programs) at the University of Dortmund.[6] In his work Kraus postulated that computer programs can behave in a way similar to biological viruses. In 1984 Fred Cohen from the University of Southern California wrote his paper "Computer Viruses - Theory and Experiments".[7] It was the first paper to explicitly call a self-reproducing program a "virus", a term introduced by Cohen's mentor Leonard Adleman. In 1987, Fred Cohen published a demonstration that there is no algorithm that can perfectly detect all possible viruses.[8] An article that describes "useful virus functionalities" was published by J. B. Gunn under the title "Use of virus functions to provide a virtual APL interpreter under user control" in 1984.[9]

Computer virus


Science fiction
The actual term "virus" was first used to denote a self-reproducing program in a short story by David Gerrold in Galaxy magazine in 1969—and later in his 1972 novel, When HARLIE Was One. In that novel, a sentient computer named HARLIE writes viral software to retrieve damaging personal information from other computers to blackmail the man who wants to turn him off. The Terminal Man, a science fiction novel by Michael Crichton (1972), told (as a sideline story) of a computer with telephone modem dialing capability, which had been programmed to randomly dial phone numbers until it hit a modem that is answered by another computer. It then attempted to program the answering computer with its own program, so that the second computer would also begin dialing random numbers, in search of yet another computer to program. The program is assumed to spread exponentially through susceptible computers.

Virus programs
The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in the early 1970s.[10] Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971.[11] Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system.[12] Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was created to delete Creeper.[13] A program called "Elk Cloner" was the first personal computer virus to appear "in the wild"—that is, outside the single computer or lab where it was created.[14] Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk.[14][15] This virus, created as a practical joke when Skrenta was still in high school, was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the personal computer and displaying a short poem beginning "Elk Cloner: The program with a personality." The first IBM PC virus in the wild was a boot sector virus dubbed (c)Brain,[16] created in 1986 by the Farooq Alvi Brothers in Lahore, Pakistan, reportedly to deter piracy of the software they had written.[17] Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. Personal computers of the era would attempt to boot first from a floppy if one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector viruses were the most common in the wild for many years. Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS, modem use, and software sharing. Bulletin board–driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSs. Viruses can increase their chances of spreading [18] to other computers by infecting files on a network file system or a file system that is accessed by other computers. Macro viruses have become common since the mid-1990s. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread to Macintosh computers. Although most of these viruses did not have the ability to send infected email messages, those viruses which did take advantage of the Microsoft Outlook COM interface. Some old versions of Microsoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents".[19]

[20] and were academically demonstrated in 2005.[21] There have been multiple instances of the cross-site scripting viruses in the wild. since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. A fast infector. because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. If a user attempts to launch an infected program. Instead. the virus hosted at the site may be able to infect this new computer and continue propagating. at most. does not seem very successful. Resident viruses do not search for hosts when they are started. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. are designed to infect hosts infrequently. Nonresident viruses immediately search for other hosts that can be infected. . however. each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer. The slow infector approach. a virus must be permitted to execute code and write to memory. Some slow infectors. Resident viruses Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. many viruses attach themselves to executable files that may be part of legitimate programs (see code injection). the virus' code may be executed simultaneously. Nonresident viruses Nonresident viruses can be thought of as consisting of a finder module and a replication module. thinking the link is from a friend (a trusted source) follows the link to the website. Viruses can be divided into two types based on their behavior when they are executed. for example. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. The replication module can be called. on the other hand. however. This module. infrequently trigger anti-virus software that detects suspicious behavior by programs. Fast infectors rely on their fast infection rate to spread. infect those targets. For this reason. The disadvantage of this method is that infecting many files may make detection more likely. and finally transfer control to the application program they infected. The finder module is responsible for finding new files to infect. Slow infectors. 3 Classification In order to replicate itself. This poses a special problem when using anti-virus software. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors are designed to infect as many files as possible. Viruses that spread using cross-site scripting were first reported in 2002. If the recipient. only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will. for instance.Computer virus A virus may also send a web address link as an instant message to all the contacts on an infected machine. exploiting websites such as MySpace and Yahoo!. is not called by a finder module. a resident virus loads itself into memory on execution and transfers control to the host program. For each new executable file the finder module encounters. can infect every potential host file that is accessed. it calls the replication module to infect that file. for instance.

and ELF files in Linux) • Volume Boot Records of floppy disks and hard disk partitions • The master boot record (MBR) of a hard disk • General-purpose script files (such as batch files in MS-DOS and Microsoft Windows. an executable may be created named "picture. format string. AmiPro documents. . in which the user sees only "picture. or Chernobyl Virus. For example. race condition or other exploitable bug in a program which reads the file could be used to trigger the execution of code hidden within it. • Documents that can contain macros (such as Microsoft Word documents. and Microsoft Access database files) • Cross-site scripting vulnerabilities in web applications (see XSS Worm) • Arbitrary computer files. Microsoft Excel spreadsheets. This list is not exhaustive: • Binary executable files (such as COM files and EXE files in MS-DOS. VBScript files. An exploitable buffer overflow.png. make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. Some viruses can infect files without increasing their sizes or damaging the files.png" and therefore assumes that this file is an image and most likely is safe. did not add to the size of the file. infects Portable Executable files. Because those files have many empty gaps. • Application-specific script files (such as Telix-scripts) • System specific autorun script files (such as Autorun.Computer virus 4 Vectors and hosts Viruses have targeted various types of transmission media or hosts. These are called cavity viruses. may link to malicious code. which was 1 KB in length. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access. This is analogous to a biological "prion" in the way it works but is vulnerable to signature based detection. This approach does not fool antivirus software. some viruses employ different kinds of deception. old hiding techniques need to be updated or replaced.exe". especially on the MS-DOS platform. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them. Portable Executable files in Microsoft Windows.inf file needed by Windows to automatically run software stored on USB memory storage devices). yet when opened runs the executable on the client machine. PDFs. Some old viruses. As computers and operating systems grow larger and more complex. however. In operating systems that use file extensions to determine program associations (such as Microsoft Windows). the CIH virus. especially those which maintain and date cyclic redundancy checks on file changes. the virus. PDFs can also be infected with malicious code. the Mach-O format in OSX. and shell script files on Unix-like platforms). Most bugs of this type can be made more difficult to exploit in computer architectures with protection features such as an execute disable bit and/or address space layout randomization. The initial code can be quite small (tens of bytes) and unpack a fairly large virus. They accomplish this by overwriting unused areas of executable files. Infection strategies In order to avoid detection by users. An additional method is to generate the virus code from parts of existing operating system files by using the CRC16/CRC32 data. like HTML. This attack has not yet been seen "in the wild". This makes it possible to create a file that is of a different type than it appears to the user. For example. the extensions may be hidden from the user by default.

Different antivirus programs will employ different search strings. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. A better term would be "search strings". In this case. Self-modification Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. so that the exclusive-or operation had only to be repeated for decryption. but it can still detect the decrypting module. In Microsoft Windows operating systems.Computer virus 5 Stealth Read request intercepts While some antivirus software employ various techniques to counter stealth mechanisms. it is in fact entirely possible to decrypt the final virus. stored on the infected host. but this is probably not required. . Using file hashes to scan for altered files would guarantee removing an infection. but compact. which still makes indirect detection of the virus possible. Most security software relies on virus signatures or they employ heuristics. It is suspicious for a code to modify itself. a virus scanner cannot directly detect the virus using signatures. If the virus is encrypted with a different key for each infected file. each infected file contains a different variant of the virus. The only reliable method to avoid stealth is to boot from a medium that is known to be clean. an antivirus software attempting to detect the virus will either not be given permission to read the infected file. before it notifies the user that the file is infected. handling the request itself. since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious. instead of also using a database of file hashes for Windows OS files. can be overwritten so that the System File Checker will report that system files are originals. once the infection occurs any recourse to clean the system is unreliable. when identifying viruses. the term is misleading. In this case. This leaves antivirus software little alternative but to send a read request to Windows OS files that handle such requests. the virus consists of a small decrypting module and an encrypted copy of the virus code. The user can then delete. Direct access to files without using the Windows OS is undocumented. to identify altered Windows files. which would (for example) be appended to the end. it will perform other checks to make sure that it has found the virus. A virus can hide itself by intercepting the request to read the infected file. The interception can occur by code injection of the actual operating system files that would handle the read request. encryption involves XORing each byte in a virus with a constant. The security software can identify the altered files. Thus. or (in some cases) "clean" or "heal" the infected file. and return an uninfected version of the file to the antivirus software. Since these would be symmetric keys. Some viruses trick antivirus software by intercepting its requests to the OS. That is. the read request will be served with the uninfected version of the same file. If a virus scanner finds such a pattern in a file. File hashes stored in Windows. or. and request Windows installation media to replace them with authentic versions. Such a virus signature is merely a sequence of bytes that an antivirus program looks for because it is known to be part of the virus. and not merely a coincidental sequence in an innocent file. Security software can then be used to check the dormant operating system files. An old. Encryption with a variable key A more advanced method is the use of simple encryption to encipher the virus. These viruses modify their code on each infection. Unfortunately. and indeed different search methods. in that viruses do not possess unique signatures in the way that human beings do. the NTFS file system is proprietary. so the code to do the encryption/decryption may be part of the signature in many virus definitions. the only part of the virus that remains constant is the decrypting module.

[22] Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. or by antivirus professionals themselves. and that some instances of the virus may be able to avoid detection. • Some antivirus software employ bait files that are accessed regularly. Just like regular encrypted viruses. Viruses typically do this by avoiding suspicious programs. For example. In the case of polymorphic viruses. the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. Metamorphic code To avoid being detected by emulation. or a virus can only infect host files on particular days of the week. making it very difficult to detect directly using signatures.e. Viruses that utilize this technique are said to be metamorphic.[23][24] 6 Avoiding bait files and other undesirable hosts A virus needs to infect hosts in order to spread further. because bait files that are infected in one run will typically contain identical or similar samples of the virus. To enable metamorphism. or by statistical pattern analysis of the encrypted virus body. sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. See polymorphic code for technical detail on how such engines operate. a polymorphic virus infects files with an encrypted copy of itself. To enable polymorphic code. In this case. many antivirus programs perform an integrity check of their own code. or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. infected bait file. the antivirus software warns the user that a virus is probably active on the system. which is decoded by a decryption module. this decryption module is also modified on each infection. or to make detection possible. • Antivirus professionals can use bait files to study the behavior of a virus and evaluate detection methods. such as small program files or programs that contain certain patterns of "garbage instructions". the virus can be made to infect a large number of bait files. than to exchange a large application program that has been infected by the virus. a virus can decide on a random basis whether to infect a file or not. This will make it more likely that the detection by the virus scanner will be unreliable. Another type of host that viruses sometimes avoid are bait files. however. For example. a metamorphic engine is needed. to be infected by a virus. 90% of which is part of the metamorphic engine. a copy of a program file that is infected by the virus). A related strategy to make baiting difficult is sparse infection. Since bait files are used to detect the virus. some viruses rewrite themselves completely each time they are to infect new executables. It is more practical to store and exchange a small. A metamorphic virus is usually very large and complex. some viruses are programmed not to infect programs that are known to be part of antivirus software. For this reason. Sometimes. When these files are modified. This is especially useful when the virus is polymorphic.Computer virus Polymorphic code Polymorphic code was the first technique that posed a serious threat to virus scanners. Bait files (or goat files) are files that are specially created by antivirus software. . W32/Simile consisted of over 14. a virus can benefit from not infecting them. These files can be created for various reasons.000 lines of assembly language code. For example. A well-written polymorphic virus therefore has no parts which remain identical between infections. The infected files can be used to test whether a virus scanner detects all versions of the virus. it might be a bad idea to infect a host program. Infecting such programs will therefore increase the likelihood that the virus is detected. Antivirus software can detect it by decrypting the viruses using an emulator. The advantage of using such slow polymorphic code is that it makes it more difficult for antivirus professionals to obtain representative samples of the virus. In some cases. a virus can be programmed to mutate only slightly over time. all of which are related to the detection of the virus: • Antivirus professionals can use bait files to take a sample of a virus (i. For example.

[28] This discovery did not gain much coverage until April 2009. This practice is known as "on-access scanning". and independent sources stating there are as many as 63 viruses. and boot sectors) and the files stored on fixed or removable drives (hard drives. Windows users are generally not. There are two common methods that an anti-virus software application uses to detect viruses. Its creator later posted the source code to Usenet. The difference in virus vulnerability between Macs and Windows is a chief selling point. it could not harm their operating system. This works by examining the content of the computer's memory (its RAM. This difference has continued partly due to the widespread use of administrator accounts in contemporary versions like XP. with Apple stating that there are only four known viruses. This method has the ability to detect novel viruses that anti-virus security firms have yet to create a signature for. The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. allowing researchers to see how it worked. and it can only infect programs that the user has the access to modify. Microsoft software is targeted by virus writers due to their desktop dominance. when Microsoft gained market dominance in desktop operating systems and office suites. Users must update their software regularly to patch security holes.[27] In January 2009. OS Classic. and by far the most common method of virus detection is using a list of virus signature definitions. The Bliss virus never became widespread. Some anti-virus programs are able to scan opened files in addition to sent and received email messages "on the fly" in a similar manner. the diversity of software systems on a network similarly limits the destructive potential of viruses. most Unix users do not log in as an administrator user except to install or configure software. Unlike Windows users. there were at least 60 known security exploits targeting the base installation of Mac OS X (with a [26] The number of viruses for the older Apple operating systems. and remains chiefly a research curiosity. and comparing those files against a database of known virus "signatures".[29] The Bliss virus may be considered characteristic of viruses—as opposed to worms—on Unix systems.Computer virus 7 Vulnerability and countermeasures The vulnerability of operating systems to viruses Just as genetic diversity in a population decreases the chance of a single disease wiping out a population. has always natively blocked normal users from having access to make changes to the operating system environment. known as Mac Unix-based file system and kernel). and Unix in general. This became a particular concern in the 1990s. Anti-virus software does not change the underlying capability of host software to transmit viruses. As of 2006.[25] Any operating system that allows third-party programs to run can theoretically run viruses. Although Windows is by far the most popular target operating system for virus writers. . when a virus for Linux was released—known as "Bliss"—leading antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows. as a result. Anti-virus software and other preventive measures Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. In 1997. Software development strategies that produce large numbers of bugs will generally also produce potential exploits. one that Apple uses in their Get a Mac advertising. The first. viruses also exist on other platforms. many viruses must exploit software bugs in a system or application to spread. The second method is to use a heuristic algorithm to find viruses based on common behaviors. Many Mac OS Classic viruses targeted the HyperCard authoring environment. floppy drives).[28] While Linux. Anti-virus software also needs to be regularly updated in order to recognize the latest threats. Symantec announced the discovery of a trojan that targets Macs. even if a user ran the virus. Bliss requires that the user run it explicitly. varies greatly from source to source.[30] The role of software development Because software is often designed with security features to prevent unauthorized use of system resources.

New viruses that anti-virus researchers have not yet studied therefore present an ongoing problem. Some websites allow a single suspicious file to be checked by many antivirus programs in one operation. read-only or not accessible for other reasons. or putting the hard drive into another computer and booting from its operating system. and a subsequent hard reboot will render a system restore point from the same day corrupt. entering Windows safe mode. Some may be safely removed by functions available in most anti-virus software products. Restore points from previous days should work provided the virus is not designed to corrupt the restore files and does not exist in previous restore points. Additionally. the time and effort to reinstall. Many such viruses can be removed by rebooting the computer. and Microsoft provide a free anti-malware utility that runs as part of their regular Windows update regime. Likewise. These methods are simple to do. otherwise such action could itself cause a lot of damage. and anti-virus products will identify known viruses precisely before trying to "dis-infect" a computer. Others may require re-installation of damaged programs. which requires anti-virus packages to be updated frequently. several capable antivirus software programs are available for free download from the internet (usually restricted to non-commercial use). reconfigure.[33] Some viruses disable System Restore and other important tools such as Task Manager and Command Prompt. it becomes read-only and can no longer be affected by a virus (so long as a virus or infected file was not copied onto the CD/DVD). Backups on removable media must be carefully inspected before restoration. and restore user preferences must be taken into account. It involves either reformatting the computer's hard drive and installing the OS and all programs from original media. If the operating system and programs must be reinstalled from scratch. User data can be restored by booting from a live CD. Operating system reinstallation Reinstalling the operating system is another approach to virus removal. It is necessary to know the characteristics of the virus involved to take the correct action. using great care not to infect the second computer by executing any infected programs on the original drive. An example of a virus that does this is CiaDoor. Often a virus will cause a system to hang. such as using different file systems. with limited cleaning facilities (the purpose of the sites is to sell anti-virus products). and once the system has been restored precautions must be taken to avoid reinfection from a restored executable file. which restores the registry and critical system files to a previous checkpoint. Windows Vista and Windows 7 is a tool known as System Restore. and are guaranteed to remove any malware. Windows XP. if data is lost through a virus. The Gammima virus. may be faster than disinfecting a computer. for example. If a backup session on optical media like CD and DVD is closed. one can start again using the backup (which should preferably be recent). Many websites run by anti-virus software companies provide free online virus scanning. These actions depend on the virus. . that are either kept unconnected to the system (most of the time). Virus removal One possibility on Windows Me.[31][32] 8 Recovery methods A number of recovery options exist after a computer has a virus. and then using system tools.Computer virus One may also minimize the damage done by viruses by making regular backups of data (and the operating systems) on different media. an operating system on a bootable CD can be used to start the computer if the installed operating systems become unusable. This way. propagates via removable flash drives. or restoring the entire partition with a clean backup image.

google. Abstract at http:/ / vx. uk/ technology/ apple/ 9104229/ Trojan-virus-tricks-Apple-Mac-users-to-steal-passwords. frisk-software. xml). [7] Cohen. (22 April 2009). [10] "Virus list" (http:/ / www. com/ security_response/ writeup. "The Cross-site Scripting Virus" (http:/ / www. NY. Retrieved August 19. [12] Jussi Parikka (2007) "Digital Contagions. [25] "Trojan virus tricks Apple Mac users to steal passwords" (http:/ / www. 2010-06-10. Actlab. . Computer Viruses and Data Protection. 2009-10-01. "Selbstreproduzierende Automaten mit minimaler Informationsübertragung" (http:/ / www." http:/ / www. . ACM SIGAPL APL Quote Quad archive (ACM New York. html)) [2] Burger. 2005. a Linux 'virus'" (http:/ / math-www. com/ en/ analysis?pubid=191968025). edu/ ~aviva/ compsec/ virus/ whatis. html ( archived version (http:/ / web. Jürgen (February 1980). com/ antivirus/ SciPapers/ VB2000DC. Retrieved 2008-02-07. . Retrieved 2010-01-07. Veith (1972). [20] Berend-Jan Wever. co. viruslist. "Striking Similarities" (http:/ / securityresponse. An Undetectable Computer Virus (http:/ / www. Retrieved 2010-08-27. Volume 1 (http:/ / books. 2012-02-26. . com/ getamac).com. mit. Retrieved 2009-02-16. com/ en/ viruses/ encyclopedia?chapter=153310937).B. pdf) (PDF). de/ ~axel/ bliss/ mcafee_press. . netlux. T. Retrieved 2010-08-27. [22] "Virus Bulletin : Glossary . 1996-03-31. [15] "The anniversary of a nuisance" (http:/ / www. "The Evolution of Viruses and Worms" (http:/ / vx. . utexas. htm). uk/ books?id=BtB1aBmLuLEC& printsec=frontcover& source=gbs_summary_r& cad=0#PPA86. virus. [28] Sutter.com. html). 19–38 ISBN 2287239391. org/ lib/ atc01. Peter Lang: New York. Retrieved 2010-08-27. netlux. "Theory of Self-Reproducing Automata" (http:/ / cba. html). com/ security_response/ writeup. Retrieved 2010-08-27.Computer virus 9 References [1] Dr. sbg. ibm. Computer Viruses . [19] Vesselin Bontchev. org/ lib/ pdf/ Selbstreproduktion bei programmen. [21] Wade Alcorn. 19-20 [3] von Neumann.about. org/ bugtraq/ 2002/ Oct/ 119). Digital Formations-series. edu/ events/ 03. cnbc." http:/ / www. net/ books/ virus/ index. 2006. [6] Kraus. .. [26] "Malware Evolution: Mac OS X Vulnerabilities 2005-2006" (http:/ / www. ISBN 0-937175-71-4 [14] Anick Jesdanun (1 September 2007). uni-paderborn. "School prank starts 25 years of security woes" (http:/ / www. archive. mac. netlux. . McAfee. acm. com/ blogs/ null/ 103826 [33] "Symantec Security Summary — W32.AG and removal details. 1991. jsp?docid=2007-082706-1742-99 [32] "Yahoo Tech: Viruses! In! Space!" http:/ / tech. IBM [9] Gunn. ISBN 1-897661-00-2. ISSN 0163-6006. "Experts: Malicious program targets Macs" (http:/ / www. symantec. pp. [11] Thomas Chen. 5 February 1997. Fred. 2006-07-24. Retrieved 2010-08-27. 11. p. symantec. google. youtube. The Daily Telegraph (London). Apple. Antivirus. "Macro Virus Identification Problems" (http:/ / www. . symantec. Computer viruses: from theory to applications. [23] Perriot. com/ resources/ glossary/ polymorphic_virus. html). Solomon's Virus Encyclopedia. ISBN 978-0-8204-8837-0. [4] Éric Filiol. netlux.edu.Gammima. . . Fredrick. [29] "McAfee discovers first Linux virus" (http:/ / math-www. virusbtn. xml). com/ 2009/ TECH/ 04/ 22/ first.AG. yahoo. . org/ web/ 20110614105852/ http:/ / vx. "Bliss. via Axel Boldt. [18] "What is a Computer Virus?" (http:/ / www. co. [27] "Get a Mac" (http:/ / www. com/ books?id=CZGLFf6IhCIC& pg=PA19). Fred (1984). Kaspersky Lab. YouTube. 1987. 50 [13] See page 86 of Computer Security Basics (http:/ / books. [8] Cohen. 1991. . Retrieved 24 April 2009.Theory and Experiments (http:/ / all. . [30] Boldt. John (1966). Retrieved September 9. (June 1984). CNN. cnn. org/ lib/ aas10. org/ lib/ aas10. Selbstreproduktion bei Programmen (http:/ / vx. Jean-Marc Robert (2004). "Use of virus functions to provide a virtual APL interpreter under user control" (http:/ / portal. 2007. html) (Press release). Virusbtn. Zeitschrift für Maschinenbau und Elektrotechnik. about. virusbtn. pdf). ap/ ). com/ resources/ glossary/ metamorphic_virus. bindshell. cosy. A Media Archaeology of Computer Viruses". Virusbtn. jsp?docid=2007-082706-1742-99& tabid=3 . Birkhäuser.com. uni-paderborn. [5] Risak. Retrieved June 10.com. CNBC. [24] "Virus Bulletin : Glossary — Metamorphic virus" (http:/ / www. O'Reilly. Retrieved 2012-07-15. USA) 14 (4): 163–168. de/ ~axel/ bliss/ ).M1) by Deborah Russell and G. pdf). . research. [31] "Symantec Security Summary — W32. html). html). org/ ft_gateway. John D. apple. Essays on Cellular Automata (University of Illinois Press): 66–87. . . .utexas. J. botnet/ index. . "XSS bug in hotmail login page" (http:/ / seclists. viruslist. cfm?id=801093& type=pdf& coll=GUIDE& dl=GUIDE& CFID=93800866& CFTOKEN=49244432). com/ ~bontchev/ papers/ macidpro. . com/ watch?v=m58MqJdWgDc). [17] "Amjad Farooq Alvi Inventor of first PC Virus post by Zagham" (http:/ / www.Polymorphic virus" (http:/ / www. Axel (19 January 2000). html). pp.Gammima. com/ avcenter/ reference/ simile. cnn. actlab. com/ od/ securitytips/ a/ bootsectorvirus. Peter Ferrie and Peter Szor (May 2002). Ralph. telegraph. [16] "Boot sector virus repair" (http:/ / antivirus. ASE/ docs/ VonNeumann. at/ ~risak/ bilder/ selbstrep. htm). 2010. ac. . 1995. Gangemi. com/ 2007/ TECH/ 09/ 03/ computer. com/ id/ 20534084/ ). net/ papers/ xssv/ ). FRISK Software International. html). people.

netlux.au/0406/07_Sampson.org. David M. 353.netlux. ISBN 0-929408-07-1.net/papers/xssv/) . Arizona 85717: American Eagle Publications. Arizona 85717: American Eagle Publications. • Ludwig. Inc. Boston: Addison-Wesley.microsoft.net/articles. • Virus removal and other Malware (http://www. Computer Viruses and Data Protection. Advanced Malware Cleaning video (http://technet. Mark (1996).org/Computers/Security/Malicious_Software/Viruses//) at the Open Directory Project • US Govt CERT (Computer Emergency Readiness Team) site (http://www. Ralf (16 February 2010) [1991].com) • The Cross-site Scripting Virus (http://www. A Media Archaeology of Computer Viruses.fibreculture.org/lib/vml00. Computer Viruses.netlux.html). Digital Contagions. Mark (1995).html) • Hacking Away at the Counterculture (http://www3.au/0502/02-sampson. ISBN 0-929408-02-0. Binary Aliens (http://journal.html). New York: Peter Lang.dmoz. Alan Solomon • Are 'Good' Computer Viruses Still a Bad Idea? (http://vx. • Parikka.virginia.media-culture. Mark (1993).research. Inc. The Art of Computer Virus Research and Defense. Arizona 85717: American Eagle Publications. Peter (2005).netlux. p. • Ludwig. January 25." High Integrity Computing Laboratory IBM Thomas J. Tucson.html) • Protecting your Email from Viruses and Other MalWare (http://www.html). 1991.Computer virus 10 Further reading • Mark Russinovich (November 2006).howstuffworks.org/lib/aas14. ISBN 978-1-55755-123-8.htm) • A Brief History of PC Viruses (http://vx. Jussi (2007).netlux.aspx?id=504)" by Thierry Bardini • Chess.html)" (early) by Dr. Watson Research Center. Tucson. com/antivirus/SciPapers/Chess/PCCOMVIR/note2. Tucson.990/ross-1.freecomputerrepairguide.media-culture.html) • How Computer Viruses Work (http://www. • Ludwig. The Giant Black Book of Computer Viruses (http://vx. ISBN 0-321-30454-3. Inc. • Szor.org/lib/vml01.edu/pmc/text-only/issue. External links • Viruses (http://www. ISBN 0-929408-10-1.aspx?id=500)" by Jussi Parikka • Hypervirus: A Clinical Report (http://www.com/virus.net/articles.php) by Tony Sampson • Dr Aycock's Bad Idea (http://journal.windowsecurity.gov/) • 'Computer Viruses – Theory and Experiments' – The original paper published on the topic (http://all. ISBN 978-0-8204-8837-0.ctheory.org/issue4/issue4_parikka.iath. • Burger.990) by Andrew Ross • A Virus in Info-Space (http://journal.php) by Tony Sampson • Digital Monsters.us-cert.html). The Little Black Book of Computer Viruses (http://vx.com/en-us/ sysinternals/gg618529) (Web (WMV / MP4)).org. Retrieved 24 July 2011.org/lib/vml02. Artificial Life and Evolution (http://vx.net/books/ virus/index.ibm.ctheory. Digital Formations.org/lib/avb02. Microsoft Corporation. " Some Common PC-DOS Viruses and What They Mean To You (http://www.bindshell.html) by Jussi Parikka • The Universal Viral Machine (http://www.com/articles/ Protecting_Email_Viruses_Malware. Abacus.

Microsoft Advertising.Adware 11 Adware Adware. Microsoft and their advertising division.[18] The advertisements produced by adware are sometimes in the form of a pop-up. the advertising functions are integrated into or bundled with the program. is any software package which automatically renders advertisements in order to generate revenue for its author.[20] others classify it as an "online threat"[21] or even rate it as seriously as computer viruses and trojans.[2] The use of advertising-supported software in business is becoming increasingly popular. Notable examples include the email service Gmail[2][12] and other Google Apps products. or the purchase and download of a separate version of the software.[19] When the term is used in this way. the forthcoming major release of the Microsoft Windows operating system. and in some cases it may allow the software to be provided to the user free of charge or at a reduced price.[9][10] The idea had been considered since as early as 2005.[22] The precise definition of the term in this context also varies.[3]. The term is sometimes used to refer to software that displays unwanted advertisements. The income derived from presenting advertisements to the user may allow or motivate the developer to continue to develop.[8] announced that Windows 8.[3] In application software Some software is offered in both an advertising-supported mode and a paid.[6]. While some sources rate adware only as an "irritant".[15] The Microsoft Office Live service was also available in an advertising-supported mode.[4] Some software authors offer advertising-supported versions of their software as an alternative option to business organizations seeking to avoid paying large sums for software licenses.[11] In software as a service Support by advertising is a popular business model of software as a service (SaaS) on the Web. and the social network Facebook. and the Amazon Kindle 3 family of e-book readers. with a third of IT and business executives in a 2007 survey by McKinsey & Company planning to be using ad-funded software within the following two years. the severity of its implication varies.[5] Examples of advertising-supported software include the Internet telephony application Skype. maintain and upgrade the software product. The latter is usually available by an online purchase of a license or registration code for the software that unlocks the mode. advertisement-free mode.[3] As malware The term adware is frequently used to describe a form of malware (malicious software).[23] Adware that observes the computer user's activities .[16][17] usually that which presents unwanted advertisements to the user of a computer. would provide built-in methods for software authors to use advertising support as a business model.[13][14] Microsoft has also adopted the advertising-supported model for many of its social software SaaS offerings. The functions may be designed to analyze which Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there.[1] Advertising-supported software In legitimate software.[7] In 2012. Adware is usually seen by the developer as a way to recover development costs. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. funding the development of the software with higher fees for advertisers. or advertising-supported software. which has versions called "Kindle with Special Offers" that display advertisements on the home page and in sleep mode in exchange for substantially lower pricing.

microsoft. Mary Jo (9 October 2009). bloomberg. zdnet. google. com/ Kindle-Special-Offers-Wireless-Reader/ dp/ B004HFS6Z0). Google Apps For Dummies (http:/ / books. [8] Formed in 2008 following Microsoft's acquisition of digital marketing company aQuantive. Retrieved 2012-11-20. "Microsoft adds an 'Office Starter' edition to its distribution plans" (http:/ / www. zdnet. Liam (11 March 2011). As of 2012. ZDNet. Retrieved 2012-12-04. iT News for Australian Business. "Ad-supported software reaches specialized audience" (http:/ / www. princeton. zdnet. almost all commercial antivirus software currently detect adware and spyware.86B for 2010" (http:/ / mashable. [9] "Windows 8 Ads in Apps" (http:/ / advertising. php). September 2008. itnews. "Microsoft begins phasing out Starter edition of its Office suite" (http:/ / www. Mary (5 May 2007). "Skype now free ad-supported software" (http:/ / www. ZDNet. "Microsoft Works to become a free. [14] Womack. Microsoft Advertising. aspx). . Ari (23 April 2012). Retrieved 2012-11-20. Retrieved 2012-12-04. com/ blog/ microsoft/ microsoft-adds-an-office-starter-edition-to-its-distribution-plans/ 4197).. "Facebook's Ad Revenue Hit $1. p. 2011 by Jolie O'Dell 203 (2011-01-17). [6] Tung. Haynes. com/ businesses-warm-to-no-cost-ad-supported/ 199204001). In addition. 364. Microsoft Encyclopedia of Security. staysafeonline. sfgate. aspx).org. Mashable. Retrieved 4 August 2011. StaySafeOnline. Spyware Doctor and Spybot . Retrieved 2012-12-04. html) on 14 November 2005. [16] National Cyber Security Alliance." [19] National Cyber Security Alliance. Microsoft Advertising. [11] Fried.com. com/ 2100-3513_22-5951569. 5 July 2012. amazon. Microsoft. [5] Levy.com. . Brian (2011-09-20).com. Retrieved 2012-11-20. . including Ad-Aware.Foley. "Microsoft Advertising Unveils New Windows 8 Ads in Apps Concepts with Agency Partners at Advertising Week 2012" (http:/ / community. "Microsoft eyes making desktop apps free" (http:/ / web. "Malware & Botnets" (http:/ / www." [2] Braue. Retrieved 2012-12-04. . ISBN 1-118-05240-4. com/ news/ 2011-09-20/ facebook-revenue-will-reach-4-27-billion-emarketer-says-1-. com/ msa/ en/ global/ b/ blog/ archive/ 2012/ 10/ 01/ windows-8-ads-in-apps-concepts-agency-partners-advertising-week-2012. ISBN 0-7356-1877-1. [13] January 17. [4] For example.Foley. "Any software that installs itself on your system without your knowledge and displays advertisements when the user browses the Internet. SF Gate. "Microsoft Advertising Historical Timeline" (http:/ / www. spyware and adware. au/ News/ 250426." [18] "Malware from A to Z" (http:/ / www. html). quarantine. Retrieved 2012-12-04. microsoft. mspx). . com/ presspass/ newsroom/ msn/ factsheet/ MSAdTimeline. "malware also includes worms. and remove advertisement-displaying malware. ad-funded product" (http:/ / www. . Ryan. Wi-Fi. zdnet. [7] "Kindle. Inc. . "[Adware] delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. . html). Princeton University Office of Information Technology. microsoft. com/ blog/ microsoft/ microsoft-works-to-become-a-free-ad-funded-product/ 604). . "Facebook Revenue Will Reach $4. "Feature: Ad-supported software" (http:/ / www. . in 2007 Microsoft changed its productivity suite Microsoft Works to be advertising-supported. the advertising company" (http:/ / www. Retrieved 2012-11-20. "The terms 'spyware' and 'adware' apply to several different [malware] technologies. "Businesses Warm To No-Cost. .Foley. com/ 2011/ 01/ 17/ facebooks-ad-revenue-hit-1-86b-for-2010/ ). . p. advertising.[24] Programs have been developed to detect. Koch. Mary Jo. com/ ?id=5TUv9jCaJdwC& pg=SA3-PA27& dq=Gmail+ free+ advertising+ supported#v=onepage& q=Gmail free advertising supported& f=false). ZDNet. Graphite. Redmond. "Adware: type of malware that allows popup ads on a computer system. Works was subsequently replaced with the Microsoft Office 2010 software suite operating in a "starter" mode that included advertisements. com/ business/ article/ Ad-supported-software-reaches-specialized-audience-3501806. "Data Privacy Day Glossary" (http:/ / www. Retrieved 2012-12-04. [12] Teeter. informationweek. org/ web/ 20051124140201/ http:/ / news. eds. [15] Foley. Ad-Supported Software" (http:/ / www. com.org. this product is also being phased out and replaced with Office Web Apps. CNET. com/ mylavasoft/ securitycenter/ spyware-glossary#Adware). . or offer a separate spyware detection package." [17] "Viruses and other forms of malicious software" (http:/ / www. zdnet. com/ blog/ microsoft/ microsoft-begins-phasing-out-starter-edition-of-its-office-suite/ 13001). staysafeonline. David (4 September 2008). Retrieved 2012-12-04.27 Billion. . archive. . com/ blog/ microsoft/ meet-microsoft-the-advertising-company/ 419).skype-now-free-ad-supported-software. edu/ itsecurity/ basics/ malicious-software/ ). StaySafeOnline.Adware without their consent and reports it to the software's author is called spyware. 16. [10] Kim. "Meet Microsoft. . zdnet. Sandra. Retrieved 2011-12-21. Malwarebytes' Anti-Malware. . Retrieved 2011-12-21. Mary Jo (21 June 2012). Jeff. org/ stay-safe-online/ keep-a-clean-machine/ malware-and-botnets). com/ 2100-3513_22-5951569. . Mary Jo (3 May 2007). lavasoft. Retrieved 2012-11-20. Amazon. . Information Week. com/ ads-in-apps). Retrieved 2012-12-04. EMarketer Says" (http:/ / www.. Mitch (2003). Amazon. Washington: Microsoft Press. org/ data-privacy-day/ glossary/ ). Archived from the original (http:/ / news.Search & Destroy. zdnet. com/ feature-ad-supported-software-1339291796/ ).[25] 12 Notes [1] Tulloch. Ina. Karl Barksdale (2011-02-09). 6" Display with New E Ink Pearl Technology — includes Special Offers & Sponsored Screensavers" (http:/ / www. ZDNet. Bloomberg. ultimately taking over a . Stephen (1 October 2012). Retrieved 2012-12-04. Lavasoft. [3] Hayes Weier. . Retrieved 2012-12-04. Retrieved 2012-12-04.

"Spyware. and did not find a clear consensus. co. Retrieved 2012-12-04. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions. Society. gov/ os/ comments/ spyware/ 040318assocofsharewareproff. . uk/ books?id=Fo2a7YtU1GUC& lpg=PA10& dq=adware& pg=PA10#v=onepage& q=spyware& f=false). Adware and Malware — Advice for networks and network users" (http:/ / www. ISBN 978-1-85109-731-9. p. hijackers. linked to spyware and privacy violations by everyone except the publishers of the products. dialers. Association of Software Professionals. Jerry (20 April 2004). in files. spyware. and [is] bad now. ASPects." [21] "McAfee. Computer security.. such as: computer viruses. To counter such so-called zero-day threats. generic signatures. to try and define adware and its relation to spyware. RM Education. malicious LSPs. Adware and Other Software" (http:/ / books. com/ Support/ TechnicalArticle. adware. This page discusses the software used for the prevention and removal of malware threats. backdoors.. google. pdf) (PDF). "Adware has become a bad word. "online threats. such as spyware. Jerry. ABC-CLIO... mspx). Signature-based detection involves searching for known patterns of data within executable code. com/ us/ about/ news/ 2008/ 20080916_120000_y. Retrieved 2012-12-04. [t]he lines for adware are even being blended into virus and trojan territory. rather than computer security implemented by software methods. heuristics can be used. Inexperienced users may also have problems understanding the prompts and decisions that antivirus software presents them with." [20] "Spyware. or slight variations of such code. rm. . 10. viruses and other malware. Retrieved 2012-12-04.com. it can sometimes have drawbacks. rootkits. as well as representatives of trade associations. success depends on achieving the right balance between false positives and false negatives. consumer and privacy advocacy groups. [24] Schwabach. Names Most Dangerous Celebrities in Cyberspace" (http:/ / www. pp. fraudtools. If the antivirus software employs heuristic detection.Adware user's Internet browsing. trojan horses and worms. it is possible for a computer to be infected with new malware for which no signature is yet known. [25] Honeycutt. Internet and the Law: Technology. antivirus software generally runs at the highly trusted kernel level of the operating system. Malware. No matter how useful antivirus software can be. electronic advertising. government agencies. However. google. including protection from social engineering techniques.. aspx).. keyloggers. [it was] a good thing ten or fifteen years ago. Federal Trade Commission. Adware. microsoft. 2. Thief: Creating Business Income from Denial of Service and Fraud" (http:/ / www. detect and remove malware (of all descriptions). Microsoft. Newsletter of the Association of Shareware Professionals. adware. Microsoft corporation. . phishing. Inc. com/ windowsxp/ using/ security/ expert/ honeycutt_spyware. is commonly offered in products and services of antivirus software companies. and anti-spyware product industries. An incorrect decision may lead to a security breach. . McAfee. March 2005." [23] A workshop held by the Federal Trade Commission in 2005 asked representatives of the computer. mcafee. and Compromises (http:/ / books. . . asp?cref=TEC276510). ftc. uk/ books?id=ookz_2ONmwgC& printsec=frontcover#v=onepage& q& f=false).[1] Finally. "[Adware] tend[s] to be more of an irritant than do actual damage to your system. spam. "Spyware Workshop: Monitoring Software On Your Personal Computer: Spyware. malicious BHOs. creating a potential avenue of attack. co. but [is] an unwanted presence nonetheless. Retrieved 2012-12-04. False positives can be as destructive as false negatives." [22] Stern. 13 References Antivirus software Antivirus or anti-virus software is software used to prevent. Antivirus software can impair a computer's performance.[2] . Aaron (2005). "How to protect your computer from Spyware and Adware" (http:/ / www. One type of heuristic approach. Retrieved 2012-12-04. A variety of strategies are typically employed. can identify new viruses or variants of existing viruses by looking for known malicious code.

08. However. but was updated relatively infrequently. viruses began to spread online. presented a risk.[13] • The possibility of embedding executable objects inside otherwise non-executable file formats can make opening those files a risk. virus checkers essentially had to check executable files and the boot sectors of floppy disks and hard disks. viruses were typically spread by infected floppy disks. he published a demonstration that there is no algorithm that can perfectly detect all possible viruses. rather than just executables.[3] That changed when more and more programmers became acquainted with virus programming and created viruses that manipulated or even destroyed data on infected computers. and more and more viruses were released.[14] • Later email programs. Even then.[4][5] There were also two antivirus applications for the Atari ST platform developed in 1987. were vulnerable to viruses embedded in the email body itself. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernd Fix in 1987. This meant that computers could now also be at risk from infection by opening documents with hidden attached macros. as internet usage became common.[8] began to develop strategies for antivirus software in 1988[9] that were picked up and continued by later antivirus software developers.[10] In 1987 the first two heuristic antivirus utilities were released: Flushot Plus by Ross Greenberg and Anti4us by Erwin Lanting. such as Microsoft Word. Some members of this mailing list like John McAfee or Eugene Kaspersky later founded software companies that developed and sold commercial antivirus software.[15] As always-on broadband connections became the norm. There are competing claims for the innovator of the first antivirus product. Antivirus software came into use.Antivirus software 14 History Most of the computer viruses written in the early and mid 1980s were limited to self-reproduction and had no specific damage routine built into the code. Before internet connectivity was widespread. Fred Cohen. for several reasons: • Powerful macros used in word processor applications. it became essential to update virus checkers more and more frequently. Also in 1988 a mailing list named VIRUS-L[11] was started on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating viruses were discussed. A user's computer could be infected by just opening or previewing a message. During this time. . In 1987. a new zero-day virus could become widespread before antivirus companies released an update to protect against it. Virus writers could use the macros to write viruses embedded within documents. The first one was G Data [6] and second was UVK 2000. in particular Microsoft's Outlook Express and Outlook.[7] An example of free antivirus software: ClamTk 3. who published one of the first academic papers on computer viruses in 1984.[12] Over the years it has become necessary for antivirus software to check an increasing variety of files.

Generic detection refers to the detection and removal of multiple threats using a single virus definition.Vundo.[18] Heuristics Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. which encrypt parts of themselves or otherwise modify themselves as a method of disguise. Symantec classifies members of the Vundo family into two distinct categories. the signature-based detection approach requires frequent updates of the virus signature dictionary. Many viruses start as a single infection and through either mutation or refinements by other attackers. can grow into dozens of slightly different strains.[16] Heuristic-based detection. but also in pieces. "polymorphic" and. the entire file is searched. To assist the antivirus software companies. like malicious activity detection. the Vundo trojan has several family members. These signatures often contain non-contiguous code. called variants. Depending on the actions logged.B.[17] Signature-based detection Traditionally.Antivirus software 15 Identification methods One of the few solid theoretical results in the study of computer viruses is Frederick B. more recently. so as to not match virus signatures in the dictionary. unknown viruses. This can be very effective." . Because of this. antivirus software compares the contents of a file to a dictionary of virus signatures. signature-based approaches are not effective against new.[20][21] While it may be advantageous to identify a specific virus. meaningless code. File emulation is another heuristic approach. antivirus software heavily relied upon signatures to identify malware. using wildcard characters where differences lie.Vundo and Trojan. allowing the virus to be analyzed and the signature added to the dictionary. but cannot defend against malware unless samples have already been obtained and signatures created. it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. can be used to identify unknown viruses. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. virus authors have tried to stay a step ahead of such software by writing "oligomorphic". Although the signature-based approach can effectively contain virus outbreaks. File emulation involves executing a program in a virtual environment and logging what actions the program performs.[22] A detection that uses this method is said to be "heuristic detection. Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses. not just as a whole. the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions. Signature based detection is the most common method.[19] For example. Because viruses can embed themselves in existing files. Trojan. As new viruses are being created each day. To identify viruses and other malware. the software may allow the user to upload new [16] viruses or variants to the company. These wildcards allow the scanner to detect viruses even if they are padded with extra.[10] There are several methods which antivirus software can use to identify malware. "metamorphic" viruses. depending on the antivirus vendor's classification.

it can cause serious problems. a normal Windows binary. due to an endless boot loop created. Rootkits can change how the operating system functions and in some cases can tamper with the anti-virus program and render it ineffective. When this happens. Norton AntiVirus had falsely identified three releases of Pegasus Mail as malware. causing a reboot loop and loss of all network access.[29] In May 2007. McAfee VirusScan detected svchost. a false positive in an essential file can render the operating system or some applications unusable. and the purchaser's credit card automatically billed. MSE flagged Chrome as a Zbot banking trojan. such as WinFixer. anti-spyware. leaving thousands of PCs unable to boot. [23] Real-time protection Real-time protection. preventing Pegasus Mail from running.[35] . resident shield.[30] Also in May 2007. opening an email. MS Antivirus. Rootkits are also difficult to remove. For example.Antivirus software 16 Rootkit detection Anti-virus software can attempt to scan for rootkits. or when a file already on the computer is opened or executed. For example. and other synonyms refer to the automatic protection provided by most antivirus. and recommend in the strongest terms that our users cease using it in favour of alternative. and would delete [31] In response to this Pegasus Mail stated: the Pegasus Mail installer file when that happened. adware.[24] Issues of concern Unexpected renewal costs Some commercial antivirus software end-user license agreements include a clause that the subscription will be automatically renewed. on-access scanning. and other anti-malware programs. the executable file required by Pegasus Mail was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed. less buggy anti-virus [31] packages.exe. as a virus on machines running Windows XP with Service Pack 3. ” In April 2010. or browsing the web. This monitors computer systems for suspicious activity such as computer viruses. at the renewal time without explicit approval. and Mac Defender.[34] In October 2011. rival to Microsoft's own Internet Explorer. in other words while data loaded into the computer's active memory: when inserting a CD.[28] Problems caused by false positives A "false positive" is when antivirus software identifies a non-malicious file as a virus. a rootkit is a type of malware that is designed to gain administrative-level control over a computer system without being detected. “ On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail. background guard. we can only condemn this product as too flawed to use. autoprotect. and other malicious objects in 'real-time'.[26] Norton AntiVirus also renews subscriptions automatically by default.[27] Rogue security applications Some apparent antivirus programs are actually malware masquerading as legitimate software. a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7. a faulty virus signature issued by Symantec mistakenly removed essential operating system files. if an antivirus program is configured to immediately delete or quarantine infected files. in some cases requiring a complete re-installation of the operating system. rendering it unable to boot. Microsoft Security Essentials (MSE) removed the Google Chrome web browser. spyware. McAfee requires users to unsubscribe at least 60 days before the expiration of the present subscription[25] while BitDefender sends notifications to unsubscribe 30 days before the renewal.[32][33] In December 2010.

[46] These technology solutions often have policy assessment applications which require that an up to date antivirus is installed and running.[45] Support issues also exist around antivirus application interoperability with common solutions like SSL VPN remote access and network access control products.[47] The problem is magnified by the changing intent of virus authors. financed by criminal organizations. when upgrading to a newer version of Windows "in place" — without erasing the previous version of Windows.[51] Some new viruses.6% detection. Anti-virus software can cause problems during the installation of an operating system upgrade. identifying benign files as malware. the only exception was the NOD32 antivirus. Effectiveness Studies in December 2007 showed that the effectiveness of antivirus software had decreased in the previous year. It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows [41] Active antivirus protection may partially or completely prevent Service Packs or updating graphics card drivers. The viruses of the day. Jerome Segura.g.[50] New viruses Anti-virus programs are not always effective against new viruses. use polymorphic code to avoid detection by virus scanners.[36][37] 17 System and interoperability related issues Running multiple antivirus programs concurrently can degrade performance and create conflicts.[48] Independent testing on all the major virus scanners consistently shows that none provide 100% virus detection. while the lowest provided only 81. particularly against unknown or zero day attacks.[42][43][44] The functionality of a few computer programs can be hampered by active anti-virus software. VB100 and other members of the Anti-Malware Testing Standards Organization. several companies (including G Data[39] and Microsoft[40]) have created applications which can run multiple engines concurrently.[38] However. Microsoft recommends that anti-virus software be disabled to avoid conflicts with the upgrade installation process. some notable independent quality testing agencies include AV-Comparatives. the user will be unable to connect. West Coast Labs.8% in tests conducted in February 2010. the installation of a major update. written by amateurs. All virus scanners produce false positive results as well. even those that use non-signature-based methods that should detect new viruses. For example TrueCrypt. If the antivirus application is not recognized by the policy assessment. using a concept called multiscanning. explained:[52] . The reason for this is that the virus designers test their new viruses on the major anti-virus applications to make sure that they are not detected before releasing them into the wild. exhibited destructive behavior or pop-ups. e. which managed a detection rate of 68 percent.[49] Although methodologies may differ. The best ones provided as high as 99. whether because the antivirus application has been updated or because it is not part of the policy assessment library. particularly ransomware. ICSA Labs. The computer magazine c't found that detection rates for these threats had dropped from 40-50% in 2006 to 20-30% in 2007. Some years ago it was obvious when a virus infection was present. a disk encryption program. a security analyst with ParetoLogic. Modern viruses are often written by professionals. At that time. fixing the damage to Microsoft Windows incurs technical support costs and businesses can be forced to close whilst remedial action is undertaken.Antivirus software When Microsoft Windows becomes damaged by faulty anti-virus products. states on its troubleshooting page that anti-virus programs can conflict with TrueCrypt and cause it to malfunction or operate very slowly.

I've seen people firsthand getting infected.Antivirus software 18 “ It's something that they miss a lot of the time because this type of [ransomware virus] comes from sites that use a polymorphism.[58] Anti-virus software is not effective at protecting firmware and the motherboard BIOS from infection. but this does not always restore the file to its undamaged state.[56] Any writeable firmware in the computer can be infected by malicious code. Damaged files Files which have been damaged by computer viruses are normally damaged beyond recovery. as well. CloudAV was designed to send programs or documents to a network cloud where multiple antivirus and behavioral detection programs are used simultaneously in order to improve detection rates. Clam AV 0. CloudAV can also perform "retrospective detection. including cloud-based antivirus. Rootkits have full administrative access to the computer and are invisible to users and hidden from the list of running processes in the task manager." whereby the cloud detection engine rescans all files in its file access history when a new threat is identified thus A command-line virus scanner. and you're never really sure if it's really gone. Other methods are also used. scanning a file and identifying a Trojan suspicious files using multiple antivirus engines.[59] Other methods Installed antivirus software running on an individual computer is only one method of guarding against viruses.95. When we see something like that usually we advise to reinstall the operating [52] system or reinstall backups. having all the pop-ups and yet they have antivirus software running and it's not detecting anything.[57] This is a major concern. It actually can be pretty hard to get rid of. Anti-virus software removes the virus code from the file during disinfection. while offloading the majority of data analysis to the provider's infrastructure. ” A proof of concept virus has used the Graphics Processing Unit (GPU) to avoid detection from anti-virus software. which means they basically randomize the file they send you and it gets by well-known antivirus products very easily. Cloud antivirus Cloud antivirus is a technology that uses lightweight agent software on the protected computer. In such circumstances. . damaged files can only be restored from existing backups.[53] Rootkits Detecting rootkits is a major challenge for anti-virus programs.[55] Firmware issues Active anti-virus software can interfere with a firmware update process. installed software that is damaged requires re-installation.2. This approach was proposed by an early implementation of the cloud antivirus concept called CloudAV. firewalls and on-line scanners. Rootkits can modify the inner workings of the operating system[54] and tamper with antivirus programs. The potential success of this involves bypassing the CPU in order to make it much harder for security researchers to analyse the inner workings of such malware. as an infected BIOS could require the actual BIOS chip to be replaced to ensure the malicious code is completely removed. Parallel scanning of files using potentially incompatible antivirus scanners is achieved by spawning a virtual machine per detection engine and therefore eliminating any possible issues.[60] One approach to implementing cloud antivirus involves scanning running a virus signature definition update.

for example. However. Softpedia. CloudAV is a solution for effective virus scanning on devices that lack the computing power to perform the scans themselves. critical areas only.[63] and rkhunter for the detection of rootkits. and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. that is bootable on newer computers. in order to remove infections while they are dormant. com. [3] History of viruses (http:/ / csrc. They may protect against infection from outside the protected computer or network. A Using rkhunter to scan for rootkits on an Ubuntu Linux computer. major businesses lose $12 million annually dealing with virus incidents. . com/ news/ Avira-s-New-Anti-Malware-Fleet-139829. html) . 19 Network firewall Network firewalls prevent unknown programs and processes from accessing the system. CBS Interactive. htm).[66] A rescue disk that is bootable.[61] Some examples of cloud anti-virus products are Panda Cloud Antivirus and Immunet. Examples include Trend Micro's Rootkit Buster. they are not antivirus systems and make no attempt to identify or remove anything.130061744. softpedia. [2] "Norton AntiVirus ignores malicious WMI instructions" (http:/ / www. Periodic online scanning is a good idea for those that run antivirus applications on their computers because those applications are frequently slow to catch threats. 21 October 2004. Online scanning Some antivirus vendors maintain websites with free online scanning capability of the entire computer. Retrieved 2011-09-11.[70] According to a sociological survey conducted by G Data Software in 2010 49% of women did not use any antivirus program at all. Finally. shtml). folders or files.139163678.[67] and AVG Rescue CD. A firewall is designed to deal with broader system threats that come from network connections into the system and is not an alternative to a virus protection system.00. Ionut Ilascu. whereas more than 80% of home users had some kind of antivirus installed. nist. . bootable antivirus disk can be useful when.[64] PCTools Alternate Operating System Scanner. local disks. 14 April 2010.Antivirus software improving new threat detection speed.[65] and AVG's Anti-Virus Free 2011. the installed operating system is no longer bootable or has malware that is resisting all attempts to be removed by the installed antivirus software.[64] PCTools Threat Removal Tool. Munir Kotadia. Examples of some of these bootable disks include the Avira AntiVir Rescue System.[68] Usage and risks According to an FBI survey.[62] Specialist tools Virus removal tools are available to help remove stubborn infections or certain types of infection.[69] A survey by Symantec in 2009 found that a third of small to medium sized business did not use antivirus protection at that time.[71] References [1] "Softpedia Exclusive Interview: Avira 10" (http:/ / news. can be used to run antivirus software outside of the installed operating system. such as a CD or USB storage device. Avira's AntiVir Removal Tool.[68] The AVG Rescue CD software can also be installed onto a USB storage device. Retrieved 2009-04-05. One of the first things that malicious software does in an attack is disable any existing antivirus software and sometimes the only way to know of an attack is by turning to an online resource that is not installed on the infected computer. zdnet. au/ news/ security/ soa/ Norton-AntiVirus-ignores-malicious-WMI-instructions/ 0. gov/ publications/ nistir/ threats/ subsubsection3_3_1_1.

[31] David Harris (June 29. "(II) Evolution of computer viruses" (http:/ / www. jsp?docid=2004-112111-3912-99). Archived (http:/ / web. symantec. . f-secure. 252–288 [19] "Generic detection" (http:/ / www. An Undetectable Computer Virus (http:/ / www. 21 April 2010. sans. "Flawed Symantec update cripples Chinese PCs" (http:/ / news. Archived (http:/ / web. . com/ antivirus/ timeline. Archived (http:/ / web.52 Release" (http:/ / www. "The ultimate Virus Killer UVK 2000" (http:/ / www. gdatasoftware. symantec. "Automatic Renewal" (http:/ / www. Joe (1996-08-30). 2007). net/ uvk/ ). asp) from the original on 27 February 2009. com/ site/ KnowledgeBase/ consumer/ #542). theregister. [6] G Data Software AG (2011). com/ 2010/ 04/ 21/ mcafee-update--shutting-down-xp-machines/ ) from the original on 22 April 2010. [21] Symantec Corporation (February 2007). com/ antivirus/ timeline. . com/ en/ viruses/ encyclopedia?chapter=153311150) [5] Wells. ibm. . . Archived (http:/ / web. archive. htm). [8] Fred Cohen 1984 "Computer Viruses – Theory and Experiments" (http:/ / www. ibm. Retrieved 2009-06-18. com/ outlook/ antivirus. com/ article2/ 0. com/ article2/ 0. viruslist. blogs. . "Buying Dangerously" (http:/ / michaelkelly. pmail. . com/ faq?chapter=170710015& qid=173727547) Archived (http:/ / www. . Retrieved 2010-05-21. [15] Slipstick Systems (February 2009). com/ v45x. html). theinquirer. Archived (http:/ / web. Retrieved 2009-04-05. retrieved Monday. archive. org/ 5wTrMA7aY) 13 February 2011 at WebCite [25] Kelly. asp). htm) from the original on 28 May 2010. The Register. research. [23] Rootkit (http:/ / www. com/ dr/ sat1/ ec_main. edu/ ~aprakash/ eecs588/ handouts/ cohen-viruses. Retrieved 2009-11-29.Pegasus Mail v4. 3 October 2011 20 . Mary (2009). Retrieved 22 August 2011. pp. jsp?docid=2005-042810-2611-99). [13] Szor 2005. com/ homeusers/ media/ press-releases/ viewnews?noticia=4974& entorno=& ver=& pagina=& producto=). com/ microsoft/ news/ 2008/ 11/ avg-incorrectly-flags-user32-dll-in-windows-xp-sp2sp3. archive. html). "Horror AVG update ballsup bricks Windows 7" (http:/ / www. [32] "McAfee DAT 5958 Update Issues" (http:/ / isc.B" (http:/ / www. uk/ security-labs/ news/ news-details/ article/ 1532-g-data-presents-security-first. [34] John Leyden (December 2.Vundo" (http:/ / www. Retrieved 2010-12-02. com/ antivirus/ SciPapers/ VB2000DC. extremetech. [26] Bitdefender (2009). "G Data presents security firsts at CeBIT 2010" (http:/ / www. org/ web/ 20090409002645/ http:/ / www. . Archived (http:/ / web. . . org/ citation. com/ en/ viruses/ glossary?glossid=189210517). 474–481 [18] Szor 2005. Retrieved 2009-11-29. "Ongoping Protection" (http:/ / www. Retrieved 2009-06-18. "January 2010 .1154648. archive. "Protecting Microsoft Outlook against Viruses" (http:/ / www. com/ Flawed-Symantec-update-cripples-Chinese-PCs/ 2100-1002_3-6186271. research. symantec. Kaspersky. com/ od/ whatisavirus/ a/ virussignature. uk/ 2010/ 12/ 02/ avg_auto_immune_update/ ). Retrieved 2009-04-14. . kaspersky. com/ security_response/ writeup. Retrieved 2009-06-20. umich. ibm. "Rogue/Suspect Anti-Spyware Products & Web Sites" (http:/ / www. com/ security_response/ writeup. Pegasus Mail. archive. . pp.00. acm.Antivirus software [4] Kaspersky Lab Virus list (http:/ / www. htm). symantec. com/ rogue_anti-spyware. co. org/ web/ 20100422205355/ http:/ / www. [35] MSE false positive detection forces Google to update Chrome (http:/ / www. org/ diary. htm). eecs.dll in Windows XP SP2/SP3" (http:/ / arstechnica. entry25?page=OnGoingProtection& client=Symantec& sid=49997& CUR=840& DSP=& PGRP=0& ABCODE=& CACHE_ID=189236). archive. net/ inquirer/ news/ 2113892/ mse-false-positive-detection-forces-google-update-chrome). IBM.00. 2009). . webcitation. cnet. . 42nd. research. Retrieved 2011-10-29.1154648. htm). archive. com/ security_response/ writeup. htm). CNET Networks. html?storyid=8656) from the original on 24 April 2010. symantecstore. html) [24] Kaspersky Lab Technical Support Portal (http:/ / www. Retrieved 22 April 2010. ExtremeTech. Archived (http:/ / web. [30] Aaron Tan (May 24. [33] "Botched McAfee update shutting down corporate XP machines worldwide" (http:/ / www. "Virus timeline" (http:/ / www. org/ web/ 20090427160747/ http:/ / www. engadget. engadget. 66–67 [14] "New virus travels in PDF files" (http:/ / news. 21 April 2010. Retrieved 2009-04-14. pp. archive. . org/ web/ 20090602233638/ http:/ / www. pmail. htm) from the original on 2 June 2009. html?storyid=8656). [22] "Antivirus Research and Detection Techniques" (http:/ / www. org-virus_l/ ) [12] Panda Security (April 2004). com/ v45x. [17] Szor 2005. cfm?id=51535) [10] Cohen. 2008). slipstick. html) [9] Fred Cohen 1988 "On the implications of Computer Viruses and Methods of Defense" (http:/ / portal. extremetech. Retrieved 2009-02-24. slipstick. Retrieved 2009-02-24. Fred. [29] Emil Protalinski (November 11. org/ web/ 20090227002351/ http:/ / www. html). . Retrieved 2011-02-24. cnet. [28] SpywareWarrior (2007). pandasecurity. "Trojan. about.2845. 1987. org/ web/ 20080604011721/ http:/ / www. org/ diary.Vundo. phreak. [20] Symantec Corporation (February 2009). jsp?docid=2005-042810-2611-99) from the original on 27 April 2009. spywarewarrior. sans. . . com/ buyingdangerously/ 2006/ 10/ bad_mcafee_on_a. Ars Technica. . 7 August 2001. co. Retrieved 22 August 2011. . htm). Retrieved 22 April 2010. Richard (January 2010). [7] Karsmakers. Archived (http:/ / web. org/ virus/ mirror/ www. com/ 2100-1001-271267. org/ web/ 20100528053020/ http:/ / www. Retrieved 2009-11-29. jsp?docid=2004-112111-3912-99) from the original on 9 April 2009. "What is a Virus Signature?" (http:/ / antivirus. com/ outlook/ antivirus. com/ security_response/ writeup. 2010).2845. org/ web/ 20100424193336/ http:/ / isc. "Trojan. bitdefender. [27] Symantec (undated). Retrieved 2008-06-06. Michael (October 2006). com/ 2010/ 04/ 21/ mcafee-update--shutting-down-xp-machines/ ). . IBM [11] VIRUS-L mailing list archive (http:/ / securitydigest. com/ en_EMEA/ security/ virus-removal/ virus-information/ encyclopedia/ encyclopedia_rootkit. ars). htm) from the original on 4 June 2008. viruslist. [16] Landesman. html). Retrieved 2009-11-29. "AVG incorrectly flags user32.

zdnet. org/ images/ stories/ test/ ondret/ avc_report25. "G-Data Internet Security 2010" (http:/ / www. ASP& NoWebContent=1) from the original on 11 November 2009. htm). . cbc. com/ kb/ 950717). [61] Jon Erickson (August 6. Retrieved 2009-11-29. 2007. [50] Guidelines released for antivirus software tests (http:/ / www. Mentioned within "Before you begin". . Munir (July 2006). archive. Retrieved 2009-11-29. Retrieved 2011-02-24. [45] "Troubleshooting" (http:/ / www. [39] Robert Vamosi (May 28. pdf). au/ why-popular-antivirus-apps-do-not-work-139264249. "Hacking poses threats to business" (http:/ / www. microsoft. Friday 27 March 2009. zeltser. html). Channel Register. [52] The Canadian Press (April 2010). org/ web/ 20091111020202/ http:/ / support. . 2 December 2010 [38] Microsoft (January 2007). informationweek. . [60] Zeltser. com/ en-gb/ windows7/ help/ upgrading-from-windows-vista-to-windows-7?T1=tab03). . org/ web/ 20100418215458/ http:/ / www. truecrypt. com/ default.63204 . retrieved Thursday. av-comparatives. cnet. com/ kb/ 950717) from the original on 8 December 2009. Information Week. zdnet. org/ docs/ ?s=troubleshooting). uk/ 2010/ 09/ 28/ gpu_assisted_malware/ ) [54] GIBSON RESEARCH CORPORATION SERIES: Security Now! (http:/ / www. [42] "Upgrading from Windows Vista to Windows 7" (http:/ / windows. cnet. Retrieved 2011-03-06. Archived (http:/ / web. "Antivirus Software Heads for the Clouds" (http:/ / www. Retrieved 2011-03-06. Retrieved 2011-02-24. 2010). . com/ bthomehub_softwareupgrade. [53] Researchers up evilness ante with GPU-assisted malware . . cbc. jhtml?articleID=224700879). Retrieved 2010-10-26. com/ en/ US/ ts/ fn/ 632/ fn63204. microsoft. com/ default. cisco. 2008). aspx?scid=http:/ / support. com/ archives/ 66/ p66_0x07_Persistent BIOS infection_by_aLS and Alfredo. aspx?scid=http:/ / support. edu/ ~eroberts/ cs201/ projects/ viruses/ anti-virus. microsoft. stanford. ASP& NoWebContent=1). Archived (http:/ / web. "Internet scam uses adult game to extort cash" (http:/ / www. Archived (http:/ / web.Antivirus software [36] McAfee to compensate businesses for buggy update (http:/ / www. computerweekly. html). org/ images/ stories/ test/ ondret/ avc_report25. . txt). archive. com/ 8301-1009_3-20003074-83. org/ web/ 20100330233157/ http:/ / www. archive. . av-comparatives. 2007). com/ blog/ main/ archives/ 2008/ 08/ antivirus_softw. "Anti-virus protection gets worse" (http:/ / www. by Dan Goodin (http:/ / www. com/ vulnerability_management/ security/ antivirus/ showArticle. html) from the original on 13 January 2011. 2009. com/ Articles/ 2007/ 07/ 13/ 225537/ hacking-poses-threats-to-business. com/ s/ article/ 9178037/ Guidelines_released_for_antivirus_software_tests) [51] Kotadia. [44] "How to troubleshoot problems during installation when you upgrade from Windows 98 or Windows Millennium Edition to Windows XP" (http:/ / support. Computer Weekly.Coming to a PC near you. Last Review: May 7. com/ 8301-1009_3-20003074-83. . 21 . 2007). Mentioned within "General troubleshooting". com/ article/ 165600/ gdata_internet_security_2010. Retrieved 2010-02-24." (http:/ / www. archive. pcworld. freeuk. "Anti-Virus Comparative No. Lenny (October 2010). Darkreading. [46] Field Notice: FN . . [59] "Phrack Inc. Retrieved 24 March 2012. com/ blog/ 10things/ the-10-faces-of-computer-malware/ 881). html). Retrieved 14 April 2010. . org/ web/ 20101010113820/ http:/ / blog. . tomshardware. ca/ consumer/ story/ 2010/ 04/ 16/ con-adult-video-virus. [41] Microsoft (April 2009). [43] "Upgrading to Microsoft Windows Vista recommended steps. theregister. Archived (http:/ / web. org/ web/ 20091208074504/ http:/ / support. . com/ post/ 1256199682/ what-is-cloud-anti-virus). 2009). htm?omnRef=NULL). archive. co. microsoft. Persistent BIOS Infection" (http:/ / www. Retrieved 24 March 2012.news-30759. html). . com:80/ support/ kb/ articles/ Q189/ 2/ 64. "Why popular antivirus apps 'do not work'" (http:/ / www. com/ issues/ ch000924. darkreading. June 1. ca/ consumer/ story/ 2010/ 04/ 16/ con-adult-video-virus. [58] "New BIOS Virus Withstands HDD Wipes" (http:/ / www. txt) [55] "How Anti-Virus Software Works" (http:/ / www-cs-faculty. Retrieved 2011-02-16. pdf) from the original on 30 March 2010. channelregister. co. html). zeltser. CBC News. Retrieved 24 March 2012. [57] "The 10 faces of computer malware" (http:/ / www. Retrieved 17 April 2010. com/ kb/ 310064). co. computerhope. [48] Dan Illett (July 13. phrack. org/ web/ 20110113170013/ http:/ / news.delays Agent start-up (http:/ / www. 2009. uk/ 2007/ 12/ 21/ dwindling_antivirus_protection/ ). . techrepublic. uk/ news/ security-management/ 2010/ 04/ 27/ mcafee-to-compensate-businesses-for-buggy-update-40088779/ ).Cisco Clean Access has Interoperability issue with Symantec Anti-virus . "Plus! 98: How to Remove McAfee VirusScan" (http:/ / support. archived (http:/ / web. archive. computerworld. [56] "BT Home Hub Firmware Upgrade Procedure" (http:/ / www. htm). . "Steps to take before you install Windows XP Service Pack 3" (http:/ / support. Retrieved 2011-03-06. htm). July 17. com/ sn/ sn-009. grc. . . Archived (http:/ / web. . "New Microsoft Forefront Software Runs Five Antivirus Vendors' Engines" (http:/ / www. uk/ bios-virus-rootkit-security-backdoor. [40] Kelly Jackson Higgins (May 5. co. microsoft. html) [47] Dan Goodin (December 21. retrieved Thursday. [49] AV Comparatives (February 2010). Retrieved 2011-02-17. 25" (http:/ / www. microsoft. com/ post/ 1256199682/ what-is-cloud-anti-virus) from the original on 10 October 2010. com. . html) from the original on 18 April 2010. . "What Is Cloud Anti-Virus and How Does It Work?" (http:/ / blog. com:80/ support/ kb/ articles/ Q189/ 2/ 64. Retrieved 2009-11-15. Retrieved 2011-03-06. Retrieved 2011-02-24. microsoft. 2 December 2010 [37] Buggy McAfee update whacks Windows XP PCs (http:/ / news. stevelarkins. html). Retrieved 18 April 2010. PC World. microsoft.

00. Retrieved 20 February 2011. Washington Post. PC Magazine. com/ article2/ 0.2361868. pcmag. "Small and Medium Size Businesses are Vulnerable" (http:/ / www. [69] "FBI estimates major companies lose $12m annually from viruses" (http:/ / www. .dmoz. PC Magazine. staysafeonline. SPAMfighter. [68] Carrie-Ann Skinner (March 25. PC Magazine. [71] "Nearly 50% of women don't use antivirus" (http:/ / www. Retrieved 2011-02-24. 2009). pcmag. asp). . . [63] Ryan Naraine (February 2. com/ blog/ security/ trend-micro-ships-free-rootkit-buster/ 14). Retrieved 2011-02-24. pcmag. asp). Retrieved 2011-02-24. pcmag.2369067.Antivirus software [62] Brian Krebs (March 9. com/ News-15048-Nearly-50-Women-Dont-Use-Anti-virus-Software. pcworld. . 2009).2817.org/Computers/Security/Malicious_Software/Viruses/Products//) at the Open Directory Project . [64] Neil J. Rubenking (October 4. asp). Rubenking (March 26. asp).00. [66] Neil J. washingtonpost. 2007). [67] Neil J. com/ article2/ 0. . com/ article/ 192414/ avg_offers_free_emergency_boot_cd. 22 Bibliography • Szor. "Avira AntiVir Personal 10" (http:/ / www. 2010).2356097. Retrieved 2011-02-24. Addison-Wesley. Peter (2005). 2010). [65] Neil J. spamfighter. National Cyber Security Alliance. Retrieved 2011-02-24. ISBN 0-321-30454-3 External links • Antivirus software (http://www. com/ securityfix/ 2007/ 03/ online_antivirus_scans_a_free. "PC Tools Internet Security 2010" (http:/ / www. 2007). Rubenking (November 19. "PC Tools Spyware Doctor with AntiVirus 2011" (http:/ / www. 2010). . The Art of Computer Virus Research and Defense. asp).00. Retrieved 2011-02-24. "Trend Micro ships free 'rootkit buster'" (http:/ / www. . com/ article2/ 0. com/ articles/ article_100752. . Rubenking (September 16. "Online Anti-Virus Scans: A Free Second Opinion" (http:/ / voices. Retrieved 2011-02-24.00. . 2010). PC Magazine. zdnet. "AVG Anti-Virus Free 2011" (http:/ / www.2817. html). htm). com/ article2/ 0. chattanoogan. [70] Michael Kaiser (April 17. ZDNet. Retrieved 2011-02-24.2817. "AVG Offers Free Emergency Boot CD" (http:/ / www. 30 January 2007. PC World. org/ blog/ small-and-medium-size-businesses-are-vulnerable). .2370108.2817. html).

• One-pass assemblers go through the source code once.[1] The use of symbolic references is a key feature of assemblers. to control the assembly process.g. the conversion process is referred to as assembly. or other programmable device. instead of called subroutines. and to aid debugging. such as SPARC or POWER. and most assemblers can take labels and symbols as operands to represent addresses and constants. An assembly language is a low-level programming language for a computer. which are generally portable across multiple systems. instead of hard coding them into the program. in which each statement corresponds to a single machine code instruction. to generate common short sequences of instructions as inline.. optimize Instruction scheduling to exploit the CPU pipeline efficiently. Assembly language is converted into executable machine code by a utility program referred to as an assembler. Assembly language uses a mnemonic to represent each low-level machine operation or opcode. especially for RISC architectures. Number of passes There are two types of assemblers based on how many passes through the source are needed to produce the executable program. in contrast to most high-level programming languages. microcontroller. . and that name can be used to insert the text into other code. as well as x86 and x86-64. Many assemblers offer additional mechanisms to facilitate program development. Assemblers have been available since the 1950s and are far simpler to write than compilers for high-level languages as each mnemonic instruction / address mode combination translates directly into a single machine language opcode. Motorola MC6800 Assembly Language Key concepts Assembler An assembler creates object code by translating assembly instruction mnemonics into opcodes. at least. Each assembly language is specific to a particular computer architecture. saving tedious calculations and manual address updates after program modifications. Any symbol used before it is defined will require "errata" at the end of the object code (or. and by resolving symbolic names for memory locations and other entities. Modern assemblers. Some opcodes require one or more operands as part of the instruction. or assembling the code. Macro assemblers include a macroinstruction facility so that assembly language text can be pre-assigned to a name. Most assemblers also include macro facilities for performing textual substitution—e. no earlier than the point where the symbol is defined) telling the linker or the loader to "go back" and overwrite a placeholder which had been left where the as yet undefined symbol was used.Assembly language 23 Assembly language See the terminology section below for information regarding inconsistent use of the terms assembly and assembler.

[5] 10110000 01100001 This binary computer code can be made more human-readable by expressing it in hexadecimal as follows B0 61 Here. comments and data. pseudo-instructions and pseudo-ops). after the semicolon. including structures/records. the assembler will make a pessimistic estimate when first encountering the operation. classes. 24 Assembly language A program written in assembly language consists of a series of (mnemonic) processor instructions and meta-statements (known variously as directives. whether these are immediate values. This means that if the size of an operation referring to an operand defined later depends on the type or distance of the operand. complete with an explanatory comment if required. The advantage of the multi-pass assembler is that the absence of errata makes the linking process (or the program load if the assembler directly produces executable code) faster. The binary code for this instruction is 10110 followed by a 3-bit identifier for which register to use. Modern computers perform multi-pass assembly without unacceptable delay. and if necessary pad it with one or more "no-operation" instructions in a later pass or the errata. The original reason for the use of one-pass assemblers was speed of assembly— often a second pass would require rewinding and rereading a tape or rereading a deck of cards. polymorphism. the assembler must be able to determine the size of each instruction on the initial passes in order to calculate the addresses of subsequent symbols. 61h . Load AL with 97 decimal (61 hex) In some assembly languages the same mnemonic such as MOV may be used for a family of related instructions for loading. Assembly language instructions usually consist of an opcode mnemonic followed by a list of data.Assembly language • Multi-pass assemblers create a table with all symbols and their values in the first passes. Intel assembly language provides the mnemonic MOV (an abbreviation of move) for instructions such as this. amongst other machines) • Object-oriented programming features such as classes. unions. arguments or parameters. For example. and inheritance[3] See Language design below for more details.[2] High-level assemblers More sophisticated high-level assemblers provide language abstractions such as: • • • • Advanced control structures High-level procedure/function declarations and invocations High-level abstract data types. This is much easier to read and to remember. the instruction below tells an x86/IA-32 processor to move an immediate 8-bit value into a register. which is 97 in decimal. so the following machine code loads the AL register with the data 01100001. In both cases. In an assembler with peephole optimization addresses may be recalculated between passes to allow replacing pessimistic code with code tailored to the exact distance from the target. copying and moving data. MOV AL. objects. The identifier for the AL register is 000. abstraction. or memory locations pointed to by values in registers. B0 means 'Move a copy of the following value into AL'. so the machine code above can be written as follows in assembly language.[4] These are translated by an assembler into machine language instructions that can be loaded into memory and executed. and sets Sophisticated macro processing (although available on ordinary assemblers since the late 1950s for IBM 700 series and since the 1960s for IBM/360. values in registers. and 61 is a hexadecimal representation of the value 01100001. Other assemblers may use separate opcodes such as L for "move memory to . then use the table in later passes to generate code.

However. Unlike high-level languages. in some cases.[6] MOV EAX. Each computer architecture has its own machine language. while 10110001 (B1) moves it into CL and 10110010 (B2) does so into DL. the ways they do so differ. Load CL with immediate value 2 . 3h . in the different sizes and numbers of registers. typically instantiated in different assembler programs. some describe anything other than a machine mnemonic or extended mnemonic as a pseudo-operation (pseudo-op). Language design Basic elements There is a large degree of diversity in the way the authors of assemblers categorize statements and in the nomenclature that they use. an assembler may provide a pseudoinstruction that expands to the machine's "set if less than" and "branch if zero (on the result of the set instruction)". Load DL with immediate value 3 25 The syntax of MOV can also be more complex as the following examples show. Load AL with immediate value 1 . CL . for a machine that lacks a "branch if greater or equal" instruction. and in the representations of data in storage. Computers differ in the number and type of operations they support. MVI for "move immediate operand to memory". LR for "move register to register". there is usually a one-to-one correspondence between simple assembly statements and machine language instructions. A typical assembly language consists of 3 types of instruction statements that are used to define program operations: • Opcode mnemonics • Data sections • Assembly directives . ST for "move register to memory".Assembly language register". For example. While most general-purpose computers are able to carry out essentially the same functionality. A0-A3. 1h MOV CL. B0-B8. [EBX] . the corresponding assembly languages reflect these differences. an assembler may provide pseudoinstructions (essentially macros) which expand into several machine language instructions to provide commonly needed functionality. etc. the MOV mnemonic is translated directly into an opcode in the ranges 88-8E. In particular. C6 or C7 by an assembler. the most popular one is usually that supplied by the manufacturer and used in its documentation. Assembly language examples for these follow. and the programmer does not have to know or remember which. Move the contents of CL into the byte at address ESI+EAX In each case. Multiple sets of mnemonics or assembly-language syntax may exist for a single instruction set. Most full-featured assemblers also provide a rich macro language (discussed below) which is used by vendors and programmers to generate more complex code and data sequences. The Intel opcode 10110000 (B0) copies an 8-bit value into the AL register. In these cases. and the reverse can at least partially be achieved by a disassembler. Move the 4 bytes in memory at the address contained in EBX into EAX MOV [ESI+EAX]. 2h MOV DL.[5] Transforming assembly language into machine code is the job of an assembler.[5] MOV AL.

a mnemonic is a symbolic name for a single executable machine language instruction (an opcode). the use of "10$" as a GOTO destination). but do have instructions that can be used for the purpose.g. These instructions can also define whether the data is available to outside programs (programs assembled separately) or only to the program in which the data section is defined.ax is used for nop.g. Data sections There are instructions used to define data elements to hold data and variables. They can make the assembly of the program dependent on parameters input by a programmer. registers specified in the instruction or implied. IBM assemblers for System/360 and System/370 use the extended mnemonics NOP and NOPR for BC and BCR with zero masks.ax. For instance. the System/360 assemblers use B as an extended mnemonic for BC with a mask of 15 and NOP for BC with a mask of 0. these are known as synthetic instructions[7] Some assemblers also support simple built-in macro-instructions that generate two or more machine instructions. also called pseudo opcodes. so that one program can be assembled different ways. pseudo-operations or pseudo-ops. Operands can be immediate (value coded in the instruction itself). Some disassemblers recognize this and will decode the xchg ax. every constant and variable is given a name so instructions can reference those locations by name. with some Z80 assemblers the instruction ld hl.bc is recognized to generate ld l.ax instruction as nop. thus promoting self-documenting code. Symbolic assemblers let programmers associate arbitrary names (labels or symbols) with memory locations. Similarly. Some assemblers classify these as pseudo-ops. allow comments to be added to assembly source code that are ignored by the assembler. Each instruction typically consists of an operation or opcode plus zero or more operands. Assembly directives Assembly directives. many CPU's do not have an explicit NOP instruction. In 8086 CPUs the instruction xchg ax. and assign labels that refer to literal values or the result of simple computations performed by the assembler. Assembly languages. with nop being a pseudo-opcode to encode the instruction xchg ax. Inside subroutines. Some assemblers support local symbols which are lexically distinct from normal symbols (e. are instructions that are executed by an assembler at assembly time. For the SPARC architecture. Some assemblers. For example. such as NASM provide flexible symbol management. often for purposes not obvious from the instruction name.[8] These are sometimes known as pseudo-opcodes. (For example. GOTO destinations are given labels.b. so any calls to a subroutine can use its name. perhaps for different applications. directives would be used to reserve storage areas and optionally their initial contents. the name of each subroutine is associated with its entry point. or a pair of values. Extended mnemonics are often used to specify a combination of an opcode with a specific operand. like most other computer languages..Assembly language Opcode mnemonics and extended mnemonics Instructions (statements) in assembly language are generally very simple. Most instructions refer to a single value. Extended mnemonics are often used to support specialized uses of instructions. letting programmers manage different namespaces. not by a CPU at run time. In executable code. automatically calculate offsets within data structures. Labels can also be used to initialize constants and variables with relocatable addresses. Generally. and there is at least one opcode mnemonic defined for each machine language instruction. unlike those in high-level language. This is determined by the underlying processor architecture: the assembler merely reflects how this architecture works. They also can be used to manipulate presentation of a program to make it easier to read and maintain. They define the type of data. Usually. e. Good use of comments is even more important with assembly code than with 26 . the length and the alignment of data. or the addresses of data located elsewhere in storage..) The names of directives often start with a dot to distinguish them from machine instructions.c followed by ld h.

When the assembler processes such a statement.Assembly language higher-level languages. and others support programmer-defined (and repeatedly re-definable) macros involving sequences of text lines in which variables and constants are embedded. Some assemblers include quite sophisticated macro languages. text processing. Assembler macro instructions can be lengthy "programs" by themselves. and arithmetic operations. or a few lines at most. Thus a macro might generate a large number of assembly language instructions or data definitions. which supports "preprocessor instructions" to set variables. Since macros can have 'short' names but expand to several or indeed many lines of code. C macro's created through the #define directive typically are just one line. than generating object code. for example. An organization using assembly language that has been heavily extended using such a macro suite can be considered to be working in a higher-level language. as was realized in the 1960s. This sequence of text lines may include opcodes or directives. in the C programming language. This could be used to generate record-style data structures or "unrolled" loops. for example. Note that this definition of "macro" is slightly different from the use of the term in other contexts. or could generate entire algorithms based on complex parameters. or data definitions—is quite difficult to read when changes must be made. It was also possible to use solely the macro processing abilities of an assembler to generate code written in completely different languages. Once a macro has been defined its name may be used in place of a mnemonic. then processes them as if they existed in the source code file (including. the former being in modern terms more word processing. like the C programming language. they can be used to make assembly language programs appear to be far shorter. . 27 Macros Many assemblers support predefined macros. Macro assemblers often allow macros to take parameters. to generate a version of a program in COBOL using a pure macro assembler program containing lines of COBOL code inside assembly time operators instructing the assembler to generate arbitrary code. Raw assembly source code as generated by compilers or disassemblers—code without any comments. Wise use of these facilities can greatly simplify the problems of coding and maintaining low-level code. incorporating such high-level language elements as optional parameters. in some assemblers. They can also be used to add higher levels of structure to assembly programs. The concept of macro processing appeared. Macros were used to customize large scale software systems for specific customers in the mainframe era and were also used by customer personnel to satisfy their employers' needs by making specific versions of manufacturer operating systems. expansion of any macros existing in the replacement text). it replaces the statement with the text lines associated with that macro. based on the macro arguments. all usable during the execution of a given macro. executed by interpretation by the assembler during assembly. This was done. for example. Customer Information Control System CICS. and ACP/TPF. the airline/financial system that began in the 1970s and still runs many large computer reservations systems (CRS) and credit card systems today. This was because. since such programmers are not working with a computer's lowest-level conceptual elements. the latter allowing programs to loop. and appears. requiring fewer lines of source code. meaningful symbols. optionally introduce embedded debugging code via parameters and other similar features. and allowing macros to save context or exchange information. string manipulation. conditionals. the concept of "macro processing" is independent of the concept of "assembly". as with higher level languages. the C preprocessor was not Turing-complete because it lacked the ability to either loop or "go to". and make conditional tests on their values. by systems programmers working with IBM's Conversational Monitor System / Virtual Machine (VM/CMS) and with IBM's "real time transaction processing" add-ons. Note that unlike certain previous macro processors inside assemblers. as the meaning and purpose of a sequence of instructions is harder to decipher from the code itself. symbolic variables.

low-level embedded systems. controlled the sequence of the generated instructions.[11] In spite of that. an Algol dialect. A curious design was A-natural. Today assembly language is still used for direct hardware manipulation. SOAP (Symbolic Optimal Assembly Program) (1955) was an assembly language for the IBM 650 computer written by Stan Poley. which extended the S/360 macro assembler with IF/ELSE/ENDIF and similar control flow blocks. and real-time systems. they are still being developed and applied in cases where resource constraints or peculiarities in the target system's architecture prevent the effective use of higher-level languages. Many commercial applications were written in assembly language as well. Typical uses are device drivers. The earliest example of this approach was in the Concept-14 macro set. In the macro: foo: macro a load a*b the intention was that the caller would provide the name of a variable. but it incorporated an expression syntax to indicate execution order. and memory references. a "stream-oriented" assembler for 8080/Z80 processors from Whitesmiths Ltd.[14] Assembly languages eliminated much of the error-prone and time-consuming first-generation programming needed with the earliest computers. and what was reported to be the first commercial C compiler).Assembly language Despite the power of macro processing. 1970). because it worked with raw machine elements such as opcodes. along with block-oriented structured programming constructs. freeing programmers from tedium such as remembering numeric codes and calculating addresses.D. one of the main factors causing spaghetti code in assembly language. in the search for improved programming productivity. Macro parameter substitution is strictly by name: at macro processing time. Mills (March. originally proposed by Dr. The EDSAC computer (1949) had an assembler called initial orders featuring one-letter mnemonics. but its logical syntax won some fans. Operating systems were entirely written in assembly language until the introduction of the Burroughs MCP (1961). rather than for hand-coding.[9] 28 Support for structured programming Some assemblers have incorporated structured programming elements to encode execution flow. To avoid any possible ambiguity.[12] Use of assembly language Historical perspective Assembly languages date to the introduction of the stored-program computer.[10] This was a way to reduce or eliminate the use of GOTO operations in assembly code. However. Historically. (developers of the Unix-like Idris operating system. or callers can parenthesize the input parameters. the macro expansion of load a-c*b occurs. FORTRAN and some PL/I . H.[13] Nathaniel Rochester wrote an assembler for an IBM 701 (1954). access to specialized processor instructions. users of macro processors can parenthesize formal parameters inside macro definitions. their use had largely been supplanted by high-level languages. registers. by the 1980s (1990s on microcomputers). which was written in ESPOL. They were once widely used for all sorts of programming. A-natural was built as the object language of a C compiler. it fell into disuse in many high level languages (major exceptions being C/C++ and PL/I) while remaining a perennial for assemblers. and implemented by Marvin Kessler at IBM's Federal Systems Division. including a large amount of the IBM mainframe software written by large corporations. or to address critical performance issues. the value of a parameter is textually substituted for its name. Parentheses and other special symbols. The language was classified as an assembler. a large number of programs have been written entirely in assembly language. There has been little apparent demand for more sophisticated assemblers since the decline of large-scale assembly language development. The most famous class of bugs resulting was the use of a parameter that itself was an expression and not a simple name when the macro writer expected a name. This approach was widely accepted in the early '80s (the latter days of large-scale assembly language use). and the "global" variable or constant b would be used to multiply "a". COBOL. If foo is called with the parameter a-c.

The assembler supported the usual symbolic addressing and the definition of character strings or hex strings. A psychological factor may have also played a role: the first generation of microcomputer programmers retained a hobbyist. automobile fuel and ignition systems. This was in large part because BASIC dialects on these systems offered insufficient execution speed. as well as insufficient facilities to take full advantage of the available hardware on these systems. the biggest reasons for using assembly language were minimal bloat (size). most notably the Amiga.Assembly language eventually displaced much of this work. multiplication. increasing processor performance has meant that most CPUs sit idle most of the time. such as the freeware ASM-One assembler [16]. • Programs that create vectorized functions for programs in higher-level languages such as C. for example in device drivers and interrupt handlers. Commodore 64. and provided limited. Commodore Amiga.[22][23] Moreover. division.639 bytes in length. and reliability. greater speed. It also allowed address expressions which could be combined with addition. and Atari ST). Typical examples of large assembly language programs from this time are IBM PC DOS operating systems and early applications such as the spreadsheet program Lotus 1-2-3.[17] 29 Current usage There have always been debates over the usefulness and performance of assembly language relative to high-level languages. a console that was notoriously challenging to develop and program games for. its author believes it is the smallest symbolic assembler ever written. including most operating systems and large applications. Assembly language has specific niche uses where it is important. minimal overhead. Perhaps more important was the lack of first-class high-level language compilers suitable for microcomputer use. In a more commercial context. buggy system services. despite the counter-examples that can be found. this is perhaps the most common situation. air-conditioning control systems. see below. even have IDEs with highly advanced debugging and macro facilities. For example. logical AND.[15] The popular arcade game NBA Jam (1993) is another example. modern optimizing compilers are claimed[18] to render high-level languages into code that can run as fast as hand-written assembly. A common example is the bitwise rotation instruction at the core of many encryption algorithms. as well as assembly programmers. the assembly language was the best computer language to use to get the best performance out of the Sega Saturn. In the higher-level language this is sometimes aided by compiler intrinsic functions which map directly to SIMD mnemonics. and sensors. Even into the 1990s. • Code that must interact directly with the hardware. logical OR. Most early microcomputers relied on hand-coded assembly language. comparable to that of Microsoft Visual Studio facilities (ASM-One predates Microsoft Visual Studio). although a number of large organizations retained assembly-language application infrastructures well into the '90s. imposed idiosyncratic memory and display architectures.[19][20][21] The complexity of modern processors and memory sub-systems makes effective optimization increasingly difficult for compilers. including most games for the Mega Drive/Genesis and the Super Nintendo Entertainment System . But in general. security systems. At 1. and exponentiation operators. Assembly language has long been the primary development language for many popular home computers of the 1980s and 1990s (such as the Sinclair ZX Spectrum. "wires and pliers" attitude. This was because these systems had severe resource constraints. with delays caused by predictable bottlenecks such as I/O operations and paging. subtraction. but . There are some situations in which developers might choose to use assembly language: • A stand-alone executable of compact size is required that must execute without recourse to the run-time components or libraries associated with a high-level language. The Assembler for the VIC-20 was written by Don French and published by French Silk. Some systems. and to the dismay of efficiency lovers. According to some industry insiders. This has made raw code execution speed a non-issue for many programmers. firmware for telephones. most console video games were written in assembly. • Programs that need to use processor-specific instructions not implemented in a compiler.

preventing timing attacks. Also large scientific simulations require highly optimized algorithms. Computer viruses. linear algebra with BLAS[19][24] or discrete cosine transformation (e. and medical equipment. II) to recognize situations where the use of assembly language might be appropriate. or other items very close to the hardware or low-level operating system. and compiler design would be hard to study in detail without a grasp of how a computer operates at the hardware level.g. [26] • Games and other software for graphing calculators. paging operations. e. Therefore. Situations where complete control over the environment is required. the logical way to learn such concepts is to study an assembly language. tracing and debugging where additional overhead is kept to a minimum Reverse-engineering and modifying program files such as • existing binaries that may or may not have originally been written in a high-level language. • Programs requiring extreme optimization. For example. bootloaders. • cryptographic algorithms that must always take strictly the same time to execute. Such systems must eliminate sources of unpredictable delays. • Video games (also termed ROM hacking). character set encoding. However. interrupt processing. the underlying concepts remain very important. stack processing. or cracking copy protection of proprietary software. The most widely employed is altering program code at the assembly language level.g. Most modern computers have similar instruction sets. in extremely high security situations where nothing can be taken for granted. or preemptive multitasking. automatic garbage collection. which may be created by (some) interpreted languages. to which assembly language lends itself well. 30 • • • • . memory allocation. division). long high-level languages. Instruction set simulators for monitoring. Choosing assembly or lower-level languages for such systems gives programmers greater visibility and control over processing details. some higher-level languages incorporate run-time components and operating system interfaces that can introduce such delays. which is possible via several methods. • Programs need precise timing such as • real-time programs such as simulations. • Self modifying code. flight navigation systems.g. for example an inner loop in a processor-intensive algorithm. and III) to see how efficient executable code can be created from [27] This is analogous to children needing to learn the basic arithmetic operations (e. certain device drivers. studying a single assembly language is sufficient to learn: I) the basic concepts.Assembly language nevertheless result in a one-to-one assembly conversion specific for the given vector processor. Since a computer's behavior is fundamentally defined by its instruction set. telemetry must be interpreted and acted upon within strict time constraints.. for example when trying to recreate programs for which source code is not available or has been lost. in a fly-by-wire system. for example. Although few programmers today regularly work with assembly language as a tool. although calculators are widely used for all except the most trivial calculations. Game programmers take advantage of the abilities of hardware features in systems. on a new or specialized processor. SIMD assembly version from x264[25]) • Situations where no high-level language exists. Such fundamental topics as binary arithmetic. enabling games to run faster. Assembly language is still taught in most computer science and electronic engineering programs.

allowing the assembly code to be viewed for debugging and optimization purposes. this usage has been common among professionals and in the literature for decades.[30]) • The computational step where an assembler is run.[29] Similarly. with no high-level language overhead. • A cross assembler (see also cross compiler) is an assembler that is run on a computer or operating system of a different type from the system on which the resulting code is to run. such as the Linux kernel. The assembler is said to be "assembling" the source code. and is often stored in ROM. the symbol table. Programs using such facilities. or symbolic machine code. • An assembler directive or pseudo-opcode is a command given to an assembler "directing it to perform operations other than assembling instructions. Related terminology • Assembly language or assembler language is commonly called assembly. Tools such as the Interactive Disassembler make extensive use of disassembly for such a purpose. but more difficult to translate into a higher-level language. Common methods involve transmitting an exact byte-by-byte copy of the machine code or an ASCII representation of the machine code in a portable format (such as Motorola or Intel hexadecimal) through a compatible interface to the target system for execution. as is typically the case for small embedded systems. A generation of IBM mainframe programmers called it ALC for Assembly Language Code or BAL[28] for Basic Assembly Language. and the values of internal assembler parameters. • Some compilers translate high-level languages into assembly first before fully compiling." Sometimes the term pseudo-opcode is reserved for directives that generate object code. some early computers called their assembler their assembly program. including all macro processing. • Assembly language is valuable in reverse engineering. short code. can then construct abstractions using different assembly language on each hardware platform. since this is also the name of the utility program that translates assembly language statements into machine code. Calling the language assembler might be considered potentially confusing and ambiguous. The system's portable code can then use these processor-specific components through a uniform interface." [32] . and generates an assembler for that language. Cross-assembling may be necessary if the target system cannot run an assembler itself. • Assemblers can be used to generate blocks of data. to be used by other code. The computer on which the cross assembler is run must have some means of transporting the resulting machine code to the target system. Many programs are distributed only in machine code form which is straightforward to translate into assembly language. assembler. speedcode). ASM. such as C. However. the listing file. the low-level code that initializes and tests the system hardware prior to booting the OS."[1] Directives affect how the assembler operates and "may affect the object code.[31] • A meta-assembler is "a program that accepts the syntactic and semantic description of an assembly language. (BIOS on IBM-compatible PC systems and CP/M).Assembly language 31 Typical applications • Assembly language is typically used in a system's boot code. from formatted and commented source code. allow the programmer to embed assembly language directly in the source code. • Relatively low-level languages. • The use of the word assembly dates from the early years of computers (cf. is termed assembly time. such as those that generate data.

An instruction set simulator can process the object code/ binary of any assembler to achieve portability even across platforms with an overhead no greater than a typical bytecode interpreter.%r2.equ 3000 ld length. in practice usually brief.-4. The basics are all the same.begin . support inline assembly where sections of assembly code. at least one – possibly dozens – of assemblers have been written. Example listing of assembly language source code Address Label Instruction (AT&T syntax) . mainframe. The Forth language commonly contains an assembler used in CODE words.[33] Also. for example. This is similar to use of microcode to achieve compatibility across a processor family. usually by linking with a C library that does not change between operating systems.%r4 ld %r4. TASM can read old MASM code. FASM and NASM have similar syntax. although it is not a single body of code. Calling conventions between operating systems often differ slightly or not at all.%r1 addcc %r1. the assembler is traditionally called as.%r5. but not the reverse. Sometimes. being typically written anew for each port. An emulator can be used to debug assembly-language programs. see the list of assemblers. some assemblers can read another assembler's dialect. A number of Unix variants use GAS. but each support different macros that could make them difficult to translate to each other. can be embedded into the high level language code.% be done addcc %r1. such as C and Borland Pascal. Some higher level computer languages. each assembler has its own dialect. assembly can sometimes be portable across different operating systems on the same type of CPU. both past and present.org 2048 a_start 2048 2064 2068 2072 2076 2080 2084 2088 2092 2096 done: length: . embedded system.%r3 jmpl %r15+4.%r0 20 00000010 10000000 00000000 00000110 10000010 10000000 01111111 11111100 10001000 10000000 01000000 00000010 11001010 00000001 00000000 00000000 00010000 10111111 11111111 11111011 10000110 10000000 11000000 00000101 10000001 11000011 11100000 00000100 00000000 00000000 00000000 00010100 00000000 00000000 00001011 10111000 [34] Object code address: a_start . and with care it is possible to gain some portability in assembly language. but the advanced features will differ. On Unix systems. For some examples.%r5 ba loop addcc %r3. and game console.org a_start 3000 a: .Assembly language 32 List of assemblers for different computer architectures • List of assemblers Further details For any given personal computer. Within processor groups.

Archived (http:/ / web. cit. [24] "BLAS Benchmark-August2008" (http:/ / eigen. The C++ Programming Language. Archived (http:/ / web. [11] Answers. Retrieved 18 November 2010. Retrieved 18 November 2010. intel.org. 33 References [3] Hyde. php?page=SegaBase+ Saturn) [16] http:/ / www. INTEL CORPORATION. name/ assem. "Speaking with Don French : The Man Behind the French Silk Assembler Tools" (http:/ / www. Version 8" (http:/ / www. edu/ Page_TechDocs/ GreatDebate/ debate1. [7] "The SPARC Architecture Manual. archive. org/ web/ 20080821105848/ http:/ / www. z80. PDF). git. Archived (http:/ / web. eigen. Retrieved 2008-07-25. . [use of the term assembler to [1] David Salomon (1993). [29] Stroustrup. Volume 2: Instruction Set Reference (http:/ / download. tuxfamily. com/ design/ PentiumII/ manuals/ 24319102. New York Times. davidsalomon. Microsoft Corp. p. org/ web/ 20080702181616/ http:/ / tifreakware. Retrieved May 25. hardwarebug. PDF). "Foreword ("Why would anyone learn this stuff?"). . edu/ cu/ computinghistory/ 650. info/ homepage. Retrieved Mar 11. . [28] Techically BAL was only the assembler for BPS. . for Fun: A Human Computer Keeps Speeding Up Chips" (http:/ / www. Retrieved 2010-03-04. columbia. com/ 2005/ 11/ 28/ technology/ 28super. org/ 2008/ 11/ 28/ codesourcery-fails-again/ ) from the original on 2 April 2010.com. [8] http:/ / www. html?_r=1). Retrieved 18 November 2010. Retrieved 2008-07-03. davidsalomon. edu/ ~lockwood/ class/ cs306/ books/ artofasm/ fwd. net/ ~jimbo/ art/ int7. Retrieved 2008-07-03. [22] Randall Hyde. org/ ?p=x264. Archived (http:/ / web. net/ tiki-index.git/common/x86/dct-32. edu/ ~lockwood/ class/ cs306/ books/ artofasm/ fwd. 2008-08-01. videolan.Assembly language Example of a selection of instructions (for a virtual computer[35]) with the corresponding address in memory where each instruction will be placed. David A. Addison-Wesley. arl. Bjarne. [26] "68K Programming in Fargo II" (http:/ / tifreakware. The Art of Assembly Language.f=common/ x86. org/ LDP/ tlk/ basics/ sw. org/ 2010/ 01/ 30/ bit-field-badness/ ) from the original on 5 February 2010. [18] Rusling. htm) from the original on 21 August 2008. [5] Intel Architecture Software Developer’s Manual. . 1999. microsoft. Retrieved 2012-01-17. edu/ ~evans/ cs216/ guides/ x86. "2". advertis/ asl. or various modern high-level languages. org/ web/ 20100325155048/ http:/ / www. php?title=Benchmark-August2008). Archived (http:/ / web. . [14] "The IBM 650 Magnetic Drum Calculator" (http:/ / www. 90). 1999. C.. org/ 2008/ 11/ 28/ codesourcery-fails-again/ ). archive. 2012. [20] "Bit-field-badness" (http:/ / hardwarebug. . htm [9] "Macros (C/C++). 1992. sparc. hardwarebug. git. archive. ucr. Assemblers and Loaders (http:/ / www. 1986. net/ ) [13] Salomon. wustl. name/ assem. © 2010. the others were macro assemblers. Archived (http:/ / web. . 6502 Assembler for the Nintendo Entertainment System (http:/ / neshla. Randall. nytimes. These addresses are not static.a=tree. net/ ~jimbo/ art/ int7. hardwarebug. eidolons-inn. [10] "Concept 14 Macros" (http:/ / skycoast. Retrieved 2010-03-04. Volume 2: Instruction Set Reference (http:/ / download. Retrieved 2010-06-22. 2005-11-28.tuxfamily. Accompanying each instruction is the generated (by the assembler) object code that coincides with the virtual computer's architecture (or ISA). 2010-09-29. Retrieved 2010-03-04. Retrieved 2010-03-04. Addison Wesley. net/ tutorials/ 89/ a/ calc/ fargoii. . org/ 2010/ 01/ 30/ bit-field-badness/ ). by Hand. System Software: An Introduction to Systems Programming. radiks. ucr. SPARC. MVS Software. Retrieved 2010-03-04. com/ standards/ V8. David (2006). de/ z80/ z80code.org. . 7. html).com" (http:/ / www.hb=HEAD). theflamearrows. virginia. us/ pscott/ software/ mvs/ concept14. Retrieved 2008-06-19. html). edu/ Page_TechDocs/ GreatDebate/ debate1. [4] Intel Architecture Software Developer’s Manual. MSDN Library for Visual Studio 2008" (http:/ / msdn. [12] NESHLA: The High Level. Retrieved 2010-09-29. John Markoff. . Assemblers and Loaders (http:/ / www. cs. . (1996).asm" (http:/ / git. . 2010-01-30. pdf). . advertis/ asl.videolan. . University of Virginia. htm). [23] "Code sourcery fails again" (http:/ / hardwarebug. [15] Eidolon's Inn : SegaBase Saturn (http:/ / www. 2009-05-13. aspx). . [19] "Writing the Fastest Code. htm). archive. [27] Hyde. answers. com/ en-us/ library/ 503x3e3s(v=VS. html) from the original on 25 March 2010.. 2010-01-30.org. html) from the original on 16 June 2008. Randall (1996-09-30). org/ 2009/ 05/ 13/ gcc-makes-a-mess/ ) from the original on 16 March 2010. cs. Retrieved 2010-03-05. html). 2nd Edition. archive.org. html). html). . intel. com/ design/ PentiumII/ manuals/ 24319102." (http:/ / www. archive. pdf). . Retrieved 2012-01-17. 2009. International. see memory management. org/ index. No Starch Press. sourceforge. "The Great Debate" (http:/ / webster. org/ web/ 20100205120952/ http:/ / hardwarebug. htm) from the original on 2 July 2008. arl. [25] "x264. . org/ 2009/ 05/ 13/ gcc-makes-a-mess/ ). op. Archived (http:/ / web. Open Source. . html). [21] "GCC makes a mess" (http:/ / hardwarebug. cs. com/ topic/ assembly-language?cat=technology). radiks. "x86 Assembly Guide" (http:/ / www. "The Linux Kernel" (http:/ / tldp. . net/ tutorials/ 89/ a/ calc/ fargoii. "assembly language: Definition and Much More from Answers. INTEL CORPORATION. org/ web/ 20080616110102/ http:/ / webster. org/ web/ 20100316212040/ http:/ / hardwarebug.org. [6] Evans. pp. Leland L. pdf) [2] Beck. html [17] Jim Lawless (2004-05-21). archive. org/ web/ 20100402221204/ http:/ / hardwarebug. wustl. 442 and 35. ISBN 0-201-12078-X: "C++ was primarily designed so that the author and his friends would not have to program in assembler. "Chapter 12 – Classes and Objects".

edu/ cs422/ doc/ art-of-asm/ pdf/ CH08.info/main/ documents/view/x86-tutorial/) Assembly Language Programming Examples (http://www. tutorials and code examples" by the ASM Community • Jonathan Bartlett: Programming from the Ground Up (http://programminggroundup. 2004.) A Dictionary of Computing: "meta-assembler" (http:/ / www. Addison Wesley.net/book/) "An online book full of helpful ASM info. [35] Principles of Computer Architecture (http:/ / iiusatech. Heuring (2000). html) [33] Randall Hyde. ed. and Plette. ISBN 0-13-142044-5 • Paul Carter: PC Assembly Language.cs. ISBN 0-9752838-4-7 Also available online as PDF (http://download. "MASM: Directives & Pseudo-Opcodes" (http:/ / flint.atariarchives.com/qed/asmexample. Prentice-Hall. 1999. ISBN 0-471-37523-3 • Randall Hyde: The Art of Assembly Language.html) Assembly Optimization Tips (http://mark.int80h. 2000.asmcommunity.htm) Iczelion's Win32 Assembly Tutorial (http://win32assembly. [use of the term assembly program] [31] Microsoft Corporation. cs. 2011. PDP-11. Unix Assembly Language Programming (http://www. LoC 62-20615.masmcode. "Which Assembler is the Best?" (http:/ / webster.savannah. html) from the original on 18 October 2007. Retrieved 2007-10-19. Website (http://drpaulcarter. accessed August 24. [32] (John Daintith.grc. Miles J.gnu.Assembly language mean assembly language]" [30] Saxon.com/).ibm. com/ ~murdocca/ POCA) (POCA) – ARCTools virtual computer available for download to execute referenced code. James.net/).org/) IBM High Level Assembler (http://www-03. com/ doc/ 1O11-metaassembler. John Socha. Bartlett Publishing. org/ web/ 20071018014019/ http:/ / webster. Vincent P. 2005 34 Further reading • ASM Community Book (http://www. Prentice-Hall. ISBN 1-886411-97-2 Draft versions available online (http://webster.ucr. . archive. PPR: Learning Assembly Language (http://c2.com/smgassembly.php) The ASM Community (http://www. ISBN 0-201-43664-7.com/) by Mark Larson . William.org/mlb/introduction. Brady Books. cs. • Dominic Sweetman: See MIPS Run. 1998. NY: 1980. cs. Retrieved March 19.fr/tutorials. html).com/pcasm/) • Jeff Duntemann: Assembly Language Step-by-Step. ISBN 0-201-39828-1 External links • • • • • • • • • • Machine language for beginners (http://www. Programming the IBM 1401.. Morgan Kaufmann Publishers. yale. PDF).html#hlasm) IBM manuals on mainframe assembler language. edu/ AsmTools/ WhichAsm. John Wiley & Sons. Wiley. encyclopedia.html) as PDF and HTML • Peter Norton. ucr.pdf) • Robert Britton: MIPS Assembly Language Programming. . Free ebook.online.com/cgi/wiki?LearningAssemblyLanguage) An Introduction to Writing 32-bit Applications Using the x86 Assembly Language (http://siyobik.asmcommunity. 2001.edu/AoA/index. 2003. a programming resource about assembly. Archived (http:/ / web.html) Authoring Windows Applications In Assembly Language (http://www.org/releases-noredirect/pgubook/ ProgrammingGroundUp-1-0-booksize. [34] Murdocca. • Michael Singer. ucr.azillionmonkeys. Peter Norton's Assembly Language Book for the IBM PC. No Starch Press. 1962. Principles of Computer Architecture. 2003.com/systems/z/os/zos/bkserv/r8pdf/index.blogspot. ISBN 1-55860-410-3 • John Waldron: Introduction to RISC Assembly Language Programming. edu/ AsmTools/ WhichAsm. Assembler Language Programming and Machine Organization. NY: 1986. Prentice Hall.

the data storage requirements can be significant.[2] The secondary purpose of backups is to recover data from an earlier time. Full only / System imaging A repository of this type contains complete system images from one or more specific points in time. or relational database. Though backups popularly represent a simple form of disaster recovery. there are many different types of data storage devices that are useful for making backups. or a database server. Incremental An incremental style repository aims to make it more feasible to store backups from more points in time by organizing the data into increments of change between points in time. The primary purpose is to recover data after its loss. encryption. The verb form is to back up in two words. be it by data deletion or corruption. or the process of backing up. This technology is frequently used by computer technicians to record known good configurations.[1] Backups have two distinct purposes. typically configured within a backup application for how long copies of data are required. The backup data needs to be stored somehow and probably should be organized to a degree. a backup. Many different techniques have been developed to optimize the backup procedure. data security. These include optimizations for dealing with open files and live data sources as well as compression. active directory servers.[3] One reason for this is that not all backup systems or backup applications are able to reconstitute a computer system or other complex configurations such as a computer cluster. This is closely related to choosing a backup rotation scheme. refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event. A data repository model can be used to provide structure to the storage. backups should not alone be considered disaster recovery. It is important to recognize the limitations and human factors involved in any backup scheme. extracted. and should be part of a disaster recovery plan. according to a user-defined data retention policy. Every backup scheme should include dry runs that validate the reliability of the data being backed up. and de-duplication.Backup 35 Backup In information technology. the base of a backup system Data repository models Any backup strategy starts with a concept of a data repository. Before data is sent to its storage location. it is selected. It can be as simple as a sheet of paper with a list of all backup tapes and the dates they were written or a more sophisticated setup with a computerized index. and portability. and manipulated. Storage. Data loss can be a common experience of computer users. Imaging is generally more useful for deploying a standard configuration to many systems rather than as a tool for making ongoing backups of diverse systems. catalog. This eliminates the need to store . This is the easiest to implement. Since a backup system contains at least one copy of all data worth saving. Nowadays. whereas the noun is backup. but probably the least likely to achieve a high level of recoverability. Unstructured An unstructured repository may simply be a stack of floppy disks or CD-R/DVD-R media with minimal information about what was backed up and when. Organizing this storage space and managing the backup process can be complicated undertaking. A 2008 survey found that 66% of respondents had lost files on their home PC. by restoring only data from a backup. among others. Different repository models have different advantages. by themselves. There are also many different ways in which these devices can be arranged to provide geographic redundancy.

The most relevant characteristic of an incremental backup is which reference point it uses to check for changes. whereas an incremental backup copies files that have been created or changed since the most recent backup of any type (full or incremental). data sets. To perform a differential backup. each differential backup made will contain all the changes since the last full backup. After that. One disadvantage.Backup duplicate copies of unchanged data. a differential backup copies files that have been created or changed since the last full backup. This can either be done using hard links. it is first necessary to perform a full backup. However. Note: Vendors have standardized on the meaning of the terms "incremental backup" and "differential backup".[5] It differs from simple disk mirroring in that it enables a roll-back of the log and thus restoration of old image of data. as would be the case with a portion of the data of subsequent full backups. there have been cases where conflicting definitions of these terms have been used. This system works particularly well for large. Reverse delta A reverse delta type repository stores a recent "mirror" of the source data and a series of differences between the mirror in its current state and its previous states. Typically. the data has to be stored on some data storage medium somewhere. By standard definition. This is generally done by saving byte or block-level differences rather than file-level differences. many of which are proprietary or specific to certain markets like mainframes or a particular brand of personal computer. some backup systems can reorganize the repository to synthesize full backups from a series of incrementals. After the full backup is performed. Continuous data protection Instead of scheduling periodic backups. at least as compared to the incremental backup method. slowly changing. A reverse delta backup will start with a normal full backup. data changes) increase so does the time to perform the differential backup.[4] Additionally. any number of incremental backups are made. Tape has typically had an order of magnitude better capacity/price ratio when compared to hard disk. backup. regardless of whether any other differential backups have been made since then. the rate of continuously writing or reading data can actually be very fast. After that. the system will periodically synchronize the full backup with the live copy. Some new tape drives are even faster than . but recently the ratios for tape and hard disk have become a lot closer. a full backup (of all files) is made which serves as the reference point for and incremental backup set. Tape is a sequential access medium. Restoring an entire system to a certain point in time would require locating the last full backup taken previous to the point of the failure or loss plus the last differential backup since the last full backup. while storing the data necessary to reconstruct older versions. and interchange. is that as time from the last full backup (and. Differential A differential style repository saves the data since the last full backup. archiving. so even though access times may be poor. the system immediately logs every change on the host system. or using binary diffs. Other variations of incremental backup include multi-level incrementals and incremental backups that compare parts of files instead of just the whole file. Magnetic tape Magnetic tape has long been the most commonly used medium for bulk data storage. thus. 36 Storage media Regardless of the repository model that is used.[6] There are myriad formats. It has the advantage that only a maximum of two data sets are needed to restore the data. Restoring the whole system to a certain point in time would require locating the last full backup taken previous to the data loss plus each and all of the incremental backups that cover the period of time between the full backup and the point in time to which the system is supposed to be restored. Examples of programs that use this method are rdiff-backup and Time Machine.

However. thumb drives. The main advantages of hard disk storage are low access times. for off-site backups). The use of an auto-changer or jukebox can make optical discs a feasible option for larger-scale backup systems. capacity and ease of use. CompactFlash. Optical storage Recordable CDs. Secure Digital cards. especially while being transported (e.. The main disadvantages of hard disk backups are that they are easily damaged. SmartMedia. etc. This is making it more competitive with magnetic tape as a bulk storage medium. the data capacity of floppy disks failed to catch up with growing demands. First.g. USB flash drives. such as Virtual Tape Libraries. these devices are relatively expensive for their low capacity. Ultimately the backup service must itself use one of the above methods so this could be seen as a more complex way of doing traditional backups. users must trust a third party service provider to maintain the privacy and integrity of their data.[8] Solid state storage Also known as flash memory. availability. A principal advantage of tape is that it has been used for this purpose for decades (much longer than any alternative) and its characteristics are well understood.. A solid state drive does not contain any movable parts unlike its magnetic drive counterpart and can have huge throughput in the order of 500Mbit/s to 6Gbit/s. or earthquakes which would destroy any backups in the immediate vicinity along with everything else. USB. the capacities and speeds of these and other optical discs are typically an order of magnitude lower than hard disk or tape. Internet connections are usually slower than local data storage devices. Secondly. support data deduplication which can dramatically reduce the amount of disk storage capacity consumed by daily and weekly backup data. Hard disk The capacity/price ratio of hard disk has been rapidly improving for many years. Some optical storage systems allow for cataloged data backups without human contact with the discs. FireWire. Many optical disk formats are WORM type. which makes them useful for archival purposes since the data cannot be changed. Backing up via the internet to a remote location can protect against some worst-case scenarios such as fires. Residential broadband is especially problematic as routine backups must use an upstream link that's usually much slower than the downstream link used only occasionally to retrieve a file from backup. remote backup services are gaining in popularity. and Blu-ray Discs are commonly used with personal computers and generally have low media unit costs. Some disk-based backup systems. There are. Floppy disk During the 1980s and early 1990s. many personal/home computer users associated backing up mostly with copying to floppy disks.[7] External disks can be connected via local interfaces like SCSI. floods. a number of drawbacks to remote backup services. rendering them unpopular and obsolete. although confidentiality can be assured by encrypting the data before transmission to the backup service with an encryption key known only to the user. and that their stability over periods of years is a relative unknown. This tends to limit the use of such services to relatively small amounts of high value data. 37 . or Fibre Channel. or via longer distance technologies like Ethernet. however. SSD drives are now available in the order of 500GB to TBs. However. or eSATA. Remote backup service As broadband internet access becomes more widespread. Memory Stick. iSCSI.Backup modern hard disks. DVDs. allowing for longer data integrity.

many people choose to send backup media to an off-site vault. A good example would be an internal hard disk or a disk array (maybe connected to SAN). but still useful for backup data storage. This type of storage is very convenient and speedy. Computer systems onto which the data can be restored and properly configured networks are necessary too. These media management methods are not mutually exclusive and are frequently combined to meet the needs of the situation. an off-site RAID mirror). A good example would be a tape library with restore times ranging from seconds to a few minutes. Such a replica has fairly limited value as a backup. which can begin restore in milliseconds time. it is largely immune to a whole class of on-line backup failure modes. Backup site or disaster recovery center (DR center) In the event of a disaster. Off-site data protection To protect against a disaster or other site-specific problem.. temperature-controlled. Off-line Off-line storage requires some direct human action in order to make access to the storage media physically possible. and should not be confused with an off-line backup. but is relatively expensive.Backup 38 Managing the data repository Regardless of the data repository model or data storage media used for backups. Near-line Near-line storage is typically less accessible and less expensive than on-line storage. Access time will vary depending on whether the media is on-site or off-site. The vault can be as simple as a system administrator's home office or as sophisticated as a disaster-hardened. a balance needs to be struck between accessibility. Importantly a data replica can be off-site but also on-line (e. Because the data is not accessible via any computer except during limited periods in which it is written or read back. . by intentional malevolent action. Other organizations contract this out to a third-party recovery center. high-security bunker that has facilities for backup media storage. the data on backup media will not be sufficient to recover. Generally it has safety properties similar to on-line storage. which keeps the DR data as up to date as possible. Some organizations have their own data recovery centers that are equipped for this scenario. On-line storage is quite vulnerable to being deleted or overwritten. A more typical way would be remote disk mirroring. security and cost. backing up is very rarely considered the preferred method of moving data to a DR site. This action is typically inserting a tape into a tape drive or plugging in a cable that allows a device to be accessed. Using on-line disks for staging data before it is sent to a near-line tape library is a common example. or in the wake of a data-deleting virus payload. On-line On-line backup storage is typically the most accessible type of data storage. Because a DR site is itself a huge investment. either by accident.g. A mechanical device is usually involved in moving media units from storage into a drive where the data can be read or written.

Deciding what to back up at any given time is a harder process than it seems. The process usually involves unmounting the filesystem and running a program like dd (Unix). Files that are actively being updated can be thought of as "live" and present a challenge to back up. one can limit the backup to only the blocks or bytes within a file that have changed in a given period of time. the data repository will fill up too quickly. or is nearly full. especially when the filesystem contains many small files. The corresponding restore utility can selectively restore individual files or the entire volume at the operator's choice. Some backup software looks at the date of the file and compares it with the last backup to determine whether the file was changed. Some filesystems. Partial file copying Instead of copying whole files. such as XFS.Backup 39 Selection and extraction of data A successful backup job starts with selecting and extracting coherent units of data. a copy of the whole filesystem itself can be made. is highly fragmented. Versioning file system A versioning filesystem keeps track of all changes to a file and makes those changes accessible to the user. the possibility of files being open for reading or writing is real. For . This is also known as a raw partition backup and is related to disk imaging. Live data If a computer system is in use while it is being backed up. Identification of changes Some filesystems have an archive bit for each file that says it was recently changed. It is also useful to save metadata that describes the computer or the filesystem being backed up. A means to perform this basic function is included in all backup software and all operating systems. this method can also be slower than conventional reading. provide a "dump" utility that reads the disk sequentially for high performance while skipping unused sections. The term fuzzy backup can be used to describe a backup of live data that looks like it ran correctly. but does not represent the state of the data at any single point in time. this type of backup can be much faster than reading every file normally. known as files. Most data on modern computer systems is stored in discrete units. This is because the data being backed up changed in the period of time between when the backup started and when it finished. An example of [9] this is the Wayback versioning filesystem for Linux. Because the disk is read sequentially and with large buffers. If a file is open. especially when the filesystem is nearly empty. Some implementations require integration with the source file system. Filesystems Filesystem dump Instead of copying files within a filesystem. Generally this gives access to any previous version. By backing up too much redundant data. Files Copying files Making copies of files is the simplest and most common way to perform a backup. These files are organized into filesystems. This technique can use substantially less storage space on the backup medium. but requires a high level of sophistication to reconstruct files in a restore situation. But because this method also reads the free disk blocks that contain no useful data. the contents on disk may not correctly represent what the owner of the file intends. This is especially true for database files of all kinds. Backing up an insufficient amount of data can eventually lead to the loss of critical information. all the way back to the file's creation time.

Some simply check for openness and try again later. File locking is useful for regulating access to open files. it is hardly an effective backup mechanism by itself. Cold database backup During a cold backup. ACLs. as well as partition tables and filesystem settings. Boot sector The boot sector can sometimes be recreated more easily than saving it. all while changes are being preserved. fuzzy backups are worthless. owner. is needed to properly recreate the original system.Backup databases in particular. System description System specifications are needed to procure an exact replacement after a disaster. This represents a challenge when backing up a file that is constantly changing. When attempting to understand the logistics of backing up open files. group. This usually includes an inconsistent image of the data files plus a log of changes made while the procedure is running. Partition layout The layout of the original disk. Snapshot backup A snapshot is an instantaneous function of some storage systems that presents a copy of the file system as if it were frozen at a specific point in time.g. as most large files contain internal references between their various parts that must remain consistent throughout the file. one must consider that the backup process could take several minutes to back up a large file such as a database. or a method must be implemented to ensure that the original snapshot is preserved long enough to be copied. often by a copy-on-write mechanism. it is vital that the entire backup represent a single-moment snapshot of the file.[10] While a snapshot is very handy for viewing a filesystem as it was at a different point in time.[12] 40 Metadata Not all information stored on the computer is stored in files. close all files). and any other metadata need to be backed up for a restore to properly recreate the original environment. Accurately recovering a complete system from scratch requires keeping track of this non-file data too. . The datafiles do not change during the backup process so the database is in a consistent state when it is returned to normal operation. Still. and then resume live operations. the changes in the log files are reapplied to bring the copy of the database up-to-date (the point in time at which the initial hot backup ended). In order to back up a file that is in use. in a manner that causes the first part of the backup to represent data before changes occur to be combined with later parts of the backup after the change results in a corrupted file that is unusable. An effective way to back up live data is to temporarily quiesce it (e. Backing up a file while it is being changed. the database is closed or locked and not available to users. rather than a simple copy of a read-through. Either the database file must be locked to prevent changes. Open file backup Many backup software packages feature the ability to handle open files in backup operations. take a snapshot. At this point the snapshot can be backed up through normal methods. Upon a restore. it usually isn't a normal file and the system won't boot without it. File metadata Each file's permissions.[11] Hot database backup Some database management systems offer a means to generate a backup image of the database while it is online and usable ("hot").

Backup System metadata Different operating systems have different ways of storing configuration information. they might share a common set of system files. if 20 Windows workstations were backed up to the same data repository. This approach also reduces bandwidth required to send backup data to its target media. Encryption is a CPU intensive process that can slow down backup speeds. This can be useful if there is a problem matching the speed of the final destination device with the source device as is frequently faced in network-based backup systems. Microsoft Windows keeps a registry of system information that is more difficult to restore than a typical file. sometimes referred to as source/client side deduplication. For example. restoring one of the computers could potentially require many tapes. This is especially useful for backup systems that do incrementals forever style backups. Multiplexing When there are many more computers to be backed up than there are destination storage devices. The data repository only needs to store one copy of those files to be able to restore any one of those workstations. These manipulations can provide many benefits including improved backup speed. Compression is frequently a built-in feature of tape drive hardware. It can also serve as a centralized location for applying other data manipulation techniques. potentially resulting in a massive reduction in required storage space. Refactoring could be used to consolidate all the backups for a single computer onto a single tape. restore speed. Staging Sometimes backup jobs are copied to a staging disk before being copied to tape. This process is sometimes referred to as D2D2T. data security. media usage and/or reduced bandwidth requirements. but presents new problems. Compression Various schemes can be employed to shrink the size of the source data to be stored so that it uses less storage space. Duplication Sometimes backup jobs are duplicated to a second set of storage media. 41 Manipulation of data and dataset optimization It is frequently useful or required to manipulate the data being backed up to optimize the backup process. . Deduplication can occur on a server before any data moves to backup media. sometimes referred to as inline or back-end deduplication. This technique can be applied at the file level or even on raw blocks of data. and the security of the encrypted backups is only as effective as the security of the key management policy. if a backup system uses a single tape each day to store the incremental backups for all the protected computers. Refactoring The process of rearranging the backup sets in a data repository is known as refactoring. there exists the potential for much redundancy within the backed up data. Encryption High capacity removable storage media such as backup tapes present a data security risk if they are lost or stolen. The process can also occur at the target storage device.[13] Encrypting the data on these media can mitigate this problem. Deduplication When multiple similar systems are backed up to the same destination storage device. an acronym for Disk to Disk to Tape. This can be done to rearrange the backup images to optimize restore speed or to have a second copy at a different location or on a different storage medium. For example. the ability to use a single storage device with several simultaneous backups can be useful.

[15] Data security In addition to preserving access to data for its owners. The backup window is usually planned with users' convenience in mind. The cost of commercial backup software can also be considerable. the objectives and limitations are essentially the same. Essentially. Objectives Recovery point objective (RPO) The point in time that the restarted infrastructure will reflect. As long as new data is being created and changes are being made. This is typically the time when the system sees the least usage and the backup process will have the least amount of interference with normal operations. The most desirable RPO would be the point just prior to the data loss event. Making a more recent recovery point achievable requires increasing the frequency of synchronization between the source data and the backup repository. Costs of hardware. software. Performance impact All backup schemes have some performance impact on the system being backed up. Limitations An effective backup scheme will take into consideration the limitations of the situation. Matching the correct amount of storage capacity (over time) with the backup needs is an important part of the design of a backup scheme. For example. Backups must be performed in a manner that does not compromise the original owner's undertaking. and its full bandwidth is no longer available for other tasks. but complicated schemes have considerably higher labor requirements. This can be achieved with data encryption and proper media handling policies. this is the roll-back that will be experienced as a result of the recovery. for the period of time that a computer system is being backed up. data must be restricted from unauthorized access. labor All types of storage media have a finite capacity with a real cost. Backup window The period of time when backups are permitted to run on a system is called the backup window. Individuals and organizations with anything from one computer to thousands (or even millions?) of computer systems all have requirements for protecting data. backups will need to be updated. While the scale is different. Likewise. Any backup scheme has some labor requirement.[14] Recovery time objective (RTO) The amount of time elapsed between disaster and restoration of business functions. Network bandwidth Distributed backup systems can be affected by limited network bandwidth. . If a backup extends past the defined backup window. those who perform backups need to know to what extent they were successful. the hard drive is busy reading files for the purpose of backing up.Backup 42 Managing the backup process It is important to understand that backing up is a process. Such impacts should be analyzed. regardless of scale. a decision is made whether it is more beneficial to abort the backup or to lengthen the backup window.

Logging In addition to the history of computer generated reports.[16] Disaster. This center alerts users to any errors that occur during automated backups. Establishing a chain of trusted individuals (and vendors) is critical to defining the security of the data. These offer several advantages. This is particularly useful for the de-duplication process. some backup programs can use checksums to avoid making redundant copies of files. Using an authentication mechanism is a good way to prevent the backup scheme from being used for unauthorized activity. Second. for example. errors. many organizations rely on third-party or "independent" solutions to test. Backup validation (also known as "backup success validation") The process by which owners of data can get information about how their data was backed up. Authentication Over the course of regular operations. device status. Reporting In larger configurations. data value and increasing dependence upon ever-growing volumes of data all contribute to the anxiety around and dependence upon successful backups to ensure business continuity. Chain of trust Removable storage media are physical items and must only be handled by trusted individuals. First. vault coordination and other information about the backup process. an insurance company might be required under HIPAA to show "proof" that their patient data are meeting records retention requirements. they allow data integrity to be verified without reference to the original file: if the file as stored on the backup medium has the same checksum as the saved value. Validation Many backup programs make use of checksums or hashes to validate that the data was accurately copied. Measuring the process To ensure that the backup scheme is working as expected. activity and change logs are useful for monitoring backup system events. For that reason. and optimize their backup operations (backup reporting). then it is very probably correct. to improve backup speed. the user accounts and/or system agents that perform the backups need to be authenticated at some level. Many backup software packages include this functionality. validate. . Scheduling Using a job scheduler can greatly improve the reliability and consistency of backups by removing part of the human element. The tools and concepts below can make that task more achievable. This same process is also used to prove compliance to regulatory bodies outside of the organization. Monitored backup Backup processes are monitored by a third party monitoring center. Some monitoring services also allow collection of historical meta-data. data complexity. reports are useful for monitoring media usage. The power to copy all data off of or onto a system requires unrestricted access. Monitored backup requires software capable of pinging the monitoring center's servers in the case of errors. the process needs to include monitoring key factors and maintaining historical data.Backup 43 Implementation Meeting the defined objectives in the face of the above limitations can be a difficult task.

Citigroup. a major Nordic telecom company and internet service provider. Recovery software and processes may have changed. system administrators ran into the burning building to rescue backup tapes because they didn't have off-site copies. 44 Law Confusion Because of a considerable overlap in technology. stored in different locations. • System administrators and others working in the information technology field are routinely fired for not devising and maintaining backup processes suitable to their organization. backups and backup systems are frequently confused with archives and fault-tolerant systems. Backup systems differ from fault-tolerant systems in the sense that backup systems assume that a fault will cause a data loss event and fault-tolerant systems assure a fault will not. especially when the goal is long-term archiving. • On 27 February 2011 a software bug on Gmail caused 0. the greater is the need for backing up this data. • On 3 January 2008. and electrical surges are likely to cause damage to the backup at the same time. a major bank in Paris. locating redundant primary storage capacity and reclaimable backup capacity. an email server crashed at TeliaSonera. • Storing the copy near the original is unwise. Affected organizations included Bank of America. the restoration process must be tested. Advice • The more important the data that is stored on the computer. as manual backups can be affected by human error. • Multiple backups on different media. while backups are a secondary copy of data. both the original and the backup medium are likely to be lost. flood. For critical systems and data. theft. • Incremental backups should be considered to save the amount of storage space and to avoid redundancy.[17][18] • Privacy Rights Clearinghouse has documented[19] 16 instances of stolen or lost backup tapes (among major organizations) in 2005 & 2006. In these cases.[22] . Ameritrade. It was subsequently discovered that the last serviceable backup set was from 15 December 2007.02% of its users to lose all their email. The messages were successfully restored from tape backups hours after the event. • A backup is only as useful as its associated restore strategy. Backups differ from archives in the sense that archives are the primary copy of data. and software may not be available to restore data saved in proprietary formats.Backup that can be used for Storage Resource Management purposes like projection of data growth. Events • On 5 May 1996. usually put away for future use. during a fire at the headquarters of Crédit Lyonnais. should be used for all critical information. since many disasters such as fire. kept on hand to replace the original item. and Time Warner. • Backups can fail for a wide variety of reasons. A verification or monitoring strategy is an important part of a successful backup plan. • Backed up archives should be stored in open and standard formats. • Automated backup and scheduling should be considered. Crucial bank archives and computer data were lost. Three [20][21] hundred thousand customer email accounts were affected.

blogspot. Retrieved on 10 March 2007 [17] Credit Lyonnais fire. "Telia server outage causes massive loss of email messages" (http:/ / blog. org/ ar/ ChronDataBreaches. Retrieved on 10 March 2007 [6] Disk to Disk Backup versus Tape . storagesearch. html) . wisc. hipaadvisory. php). com/ glossary/ recovery_point_objective. Retrieved on 15 February 2009 [3] http:/ / www. html) (9 December 2004). shtml). [21] Telia Sonera to compensate clients over email crash (http:/ / www. html#coldbackup) (10 December 1997).Backup 45 References [1] American Heritage Dictionary entry for backup (http:/ / education. Retrieved 31 May 2008. aqualab. com/ reference/ dictionary/ entry/ backup). Retrieved on 10 March 2007 [7] "Bye Bye Tape. com/ 2007/ 04/ 18/ bye_bye_tape/ ). com/ glossary/ recovery_time_objective. Retrieved on 10 March 2007 [14] Definition of recovery point objective (http:/ / www.. com/ 2011/ 02/ gmail-back-soon-for-everyone. Hello 5. Retrieved on 10 March 2007 [15] Definition of recovery time objective (http:/ / www. . com/ incremental-backup. [8] Choosing a Data Backup Method (http:/ / www. org/ data/ choosing_a_data_backup. com/ news/ 11048) (28 April 2004). 7 January 2008. cs. tomshardware. com/ news/ business/ news/ article_1385007.destruction of crucial bank archives. com/ Learning/ CaseStudies/ CreditLyonnais. . php). seniortechcenter. yahoo.anta. net/ 2008/ 01/ 07/ telia-server-outage-causes-massive-loss-of-email-messages/ ). ISSN 1797-1993. ac. kabooza. ncl. com/ analyst/ pdf/ Ovum200510. 14. edu/ publications/ Cornell04VFS. riskythinking. Retrieved 22 April 2007. org/ web/ 20090112005358/ http:/ / www. riskythinking. anta. Blog. htm) Privacy Rights Clearinghouse. tech-faq. Retrieved on 10 March 2007 [10] What is a Snapshot backup? (http:/ / edseek. 1996 (http:/ / catless. (1 October 2005). monstersandcritics. San Diego [20] back up is the activibg of copying file or date bases. Retrieved 19 February 2009. com/ regs/ recordretention. Retrieved on 10 March 2007 [9] Wayback: A User-level V File System for Linux (http:/ / www. northwestern. American Heritage Dictionary entry for back up (http:/ / education. asp) [19] A Chronology of Data Breaches (http:/ / www. Archived (http:/ / web. php). htm [4] Incremental Backup (http:/ / www. com/ reference/ dictionary/ entry/ back) [2] Global Backup Survey (http:/ / www. php/ Telia_Sonera_to_compensate_clients_over_email_crash). Retrieved on 10 March 2007 [13] Backups tapes a backdoor for identity thieves (http:/ / www. . Retrieved on 10 March 2007 [12] Oracle Tips (http:/ / www. securityfocus. Retrieved on 10 March 2007 [11] Oracle Tips (http:/ / www. archive. com/ news/ business/ news/ article_1385007.. html). Retrieved on 7 March 2007 [16] HIPAA Advisory (http:/ / www. edu/ drmt/ oratips/ sess003. com/ engenio-art2. 7 January 2008. pdf). com/ ~jasonb/ articles/ dirvish_backup/ snapshot. drj. html). erisk.War or Truce? (http:/ / www. php/ Telia_Sonera_to_compensate_clients_over_email_crash) from the original on 12 January 2009.3TB eSATA" (http:/ / www. monstersandcritics. html) (2004). emc. html#subj3) [18] "." (http:/ / www. htm).net. html#Hotbackup) (10 December 1997). com/ new2dr/ w2_002. uk/ risks/ 18. edu/ drmt/ oratips/ sess003. privacyrights. yahoo. [22] Gmail back soon for everyone (http:/ / gmailblog... com/ globalsurvey. wisc. Retrieved on 10 March 2006 [5] Continuous Protection white paper (http:/ / www.

VBR or any executable code). When executed. due to the requirement for infection to occur under the root user. although some old versions of DOS 3 relied on it in their process . [3] References [1] ""F-Secure Advisory" (http:/ / www. com/ v-descs/ bliss. After the Staog virus it is the second known Linux virus. the BIOS selects a boot device. The MBR sector may contain code to locate the active partition and invoke its Volume Boot Record. This signature indicates the presence of at least a dummy boot loader which is safe to be executed. On an IBM PC compatible machine. antivirus software vendors and Linux distributions released security advisories to notify users of the potential risks. 0xAA (called the boot sector signature) at the end of the boot sector (offsets 0x1FE and 0x1FF). an operating system) stored on the same storage device. to which regular users do not have access. debian. External links • Bliss. In the case of the alpha version. the process may be quite different. [2] "F-Secure Advisory" (http:/ / www. It does not indicate the presence of a (or even a particular) file system or operating system. it attempts to attach itself to Linux executable files. floppy disk. f-secure. It may contain code to load and invoke an operating system (or other standalone program) installed on that device or within that partition. it does not propagate very effectively because of the structure of Linux's user privilege system.uni-paderborn. org/ security/ undated/ 1bliss). [1] When the Bliss virus was released. Although it was probably intended to prove that Linux can be infected. The location and size of the boot sector (perhaps corresponding to a logical disk sector) is specified by the design of the computing platform.de/~axel/bliss/) Boot sector A boot sector or boot block is a region of a hard disk. even if it may not be able to actually load an operating system. into physical memory at memory address 0x7C00. [2] Debian still lists itself as vulnerable to the Bliss virus. the risk is listed as minimal. The purpose of a boot sector is to allow the boot process of a computer to load a program (usually. shtml). shtml). . floppy disks and similar storage devices: • A Master Boot Record (MBR) is the first sector of a data storage device that has been partitioned. so users notice it immediately. [3] "Debian Security Advisory" (http:/ / www. but not necessarily.Bliss (virus) 46 Bliss (virus) Bliss is a computer virus that infects Linux systems. this prevents the executables from running. f-secure. a Linux "virus" (http://math-www. The Bliss virus never became widespread. then copies the first sector from the device (which may be a MBR. or other data storage device that contains machine code to be loaded into random-access memory (RAM) by a computer system's built-in firmware. and remains chiefly a research curiosity. . or the first sector of an individual partition on a data storage device that has been partitioned. com/ v-descs/ bliss. However. optical disc. Kinds of boot sectors Several major kinds of boot sectors could be encountered on IBM PC compatible hard disks. • A Volume Boot Record (VBR) is the first sector of a data storage device that has not been partitioned. The presence of an IBM PC compatible boot loader for x86-CPUs in the boot sector is by convention indicated by a two-byte hexadecimal sequence 0x55. On other systems. .

that will be a VBR. If the device is a hard disk. is responsible for loading and running the VBR of whichever primary partition is set to boot (the active partition). if ever. Nevertheless. it will try the next boot device in the row. the check can be disabled in some environments. USB device. reboot the system via INT 19h after user confirmation or cause the system to halt the bootstrapping process until the next power-up. Since old boot sectors (f. while for floppies and superfloppies it is enough to start with a byte greater or equal to 06h and the first nine words not to contain the same value. thereby avoiding the explicit test for 0x55. The BIOS merely passes control to whatever exists there. Boot code for other platforms or CPUs should not use this signature. • Non IBM PC compatible systems may have different boot sector formats on their disk devices. rendering this check not 100% reliable in practice. 0xAA in its last two bytes. anyway. the BIOS is ignorant of the distinction between VBRs and MBRs. for IBM PC compatible systems this is subject to El Torito specifications.[1] If the device is a floppy or USB flash drive. as long as the sector meets the very simple qualification of having the boot record signature of 0x55. hard disk or any other bootable storage device. abuse often occurs in the form of boot sector viruses. The signature is checked for by most System BIOSes since (at least) the IBM PC/AT (but not by the original IBM PC and some other machines). and in turn. Even more so. If they all fail it will typically display an error message and invoke INT 18h. This will either start up optional resident software in ROM (ROM BASIC). The firmware simply loads and runs the first sector of the storage device. whatever is stored in the first sector of a floppy diskette. This is why it's easy to replace the usual bootstrap code found in an MBR with more complex loaders.Boot sector to detect FAT-formatted media (newer versions do not). Systems not following the above described design are: • CD-ROMs usually have their own structure of boot sectors. 0xAA on floppies. Some BIOSes (like the IBM PC/AT) perform the check only for fixed disk / removable drives. Furthermore. 47 Operation On IBM PC compatible machines. is not required to immediately load any bootstrap code for an OS. even large multi-functional boot managers (programs stored elsewhere on the device which can run without an operating system). If the BIOS or MBR code does not detect a valid boot sector and therefore cannot pass execution to the boot sector code. before the boot sector is accepted as valid. that will be an MBR. some media for other platforms erroneously contain the signature. It is the code in the MBR which generally understands disk partitioning. . The VBR then loads a second-stage bootloader from another location on the disk. With this kind of freedom.e. very old CP/M-86 and DOS media) sometimes do not feature this signature despite the fact that they can be booted successfully. allowing users a number of choices in what occurs next. it is also checked by most MBR boot loaders before passing control to the boot sector. and of partitioning. since this may lead to a crash when the BIOS passes execution to the boot sector assuming that it contains valid executable code.

KnowledgeBase.lasierra. com/ developerworks/ linux/ library/ l-grub2/ index. • Arman Catacutan. html?ca=dgr-lnxw97Grub2dth=LX External links • Mary Landesman. • Microsoft.com/cs/tutorials/a/bsvirus_2. ibm. • Susam Pal. • Pierre Ancelot.Boot sector 48 Boot sector viruses Since code in the boot sector is executed automatically.netspace. "Writing boot sector code using GNU tools" (http://susam. boot sectors have historically been a common attack vector for computer viruses. "Sample to build a boot program on x86 real mode" (http://gok. "Bootsector assembly code with detailed explanation" (http://www. To combat this behavior.in/articles/boot-sector-code/). "Boot sector viruses" (http://antivirus.au/ resources/). "Glossary of Virus Terms" (http://www.microsoft.htm#Boot Sector Viruses).com/en/ virusesdescribed?chapter=152540474#boot).com/en/security/general/glossary/ overview.trendmicro. Virus Encyclopedia / Malware Descriptions / Classic Viruses.viruslist.customer. • Greg O'Keefe. • Denny Lin. Boot Viruses.com/blogs/ 2).about.com/kb/122221). • Kaspersky Lab. References [1] http:/ / www. "How to Protect Boot Sector from Viruses in Windows" (http://support. the BIOS often includes an option to prevent writing to the boot sectors of attached hard drives.htm).neko-consulting.net. "Inexpensive boot sector virus detection and prevention techniques" (http://www.htm).edu/ ~dlin/computer/virus. . "Boot sector viruses" (http://www.

and not all botnets exhibit the same topology for command and control. and the program that embeds the client on the victim's machine. This can be accomplished by luring users into making a drive-by download. usually through an IRC. otherwise known as malicious software. Smith[2] in 2001 for the purpose of bulk spam accounting for nearly 25% of all spam at the time. but are operated by different entities. Depending on how it is written. Advanced topology is more resilient to shutdown. As of 2006. is created when a computer is penetrated by software from a malware distribution. using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet.[4] Botnet architecture evolved over time. and often for criminal purposes. A bot typically runs hidden and uses a covert channel (e. although larger networks continued to operate. This server is known as the command-and-control (C&C) server. the average size of a network was estimated at 20.000 computers. linked for greater redundancy so as to reduce the threat of a takedown. the perpetrator has compromised multiple systems using various tools (exploits. Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords.[5] Typical botnet topologies are Star. These protocols include a server program. as well as others. A botnet's originator (known as a "bot herder" or "bot master") can control the group remotely.[3] The term "botnet" can be used to refer to any group of computers. These communicate over a network. Though rare. To thwart detection. but the term is generally used to refer to a collection of computers (called zombie computers) that have been recruited by running malicious software. buffer overflows.g. Generally. Organization While botnets are often named after the malware that created them. or may remain present to update and maintain the modules.[1] Recruitment Computers can be co-opted into a botnet when they execute malicious software. the more valuable it becomes to a botnet controller community. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. some botnets are scaling back in size. The first BotNet was first acknowledged and exposed by Earthlink during a lawsuit with notorious spammer Khan C. see also RPC). the RFC 1459 (IRC) standard. more experienced botnet operators program command protocols from scratch. Multi-server.Botnet 49 Botnet A botnet is a collection of internet-connected computers whose security defenses have been breached and control ceded to a 3rd party. enumeration or discovery. Actual botnet communities usually consist of one or several controllers that rarely have highly developed command hierarchies. However. such as IRC bots. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping. Generally. Hierarchical and Random." Botnet servers are typically redundant.[6] . a client program for operation. which may come from an email attachment. the more vulnerabilities a bot can scan and propagate through. exploiting web browser vulnerabilities. some topologies limit the marketability of the botnet to third-parties. a Trojan may then delete itself. they rely on individual peer-to-peer relationships. or IM) to communicate with its C&C server. or by tricking the user into running a Trojan horse program. Twitter. Each such compromised device. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC (Internet Relay Chat) and HTTP (Hypertext Transfer Protocol). multiple botnets typically use the same malware. known as a "bot".

• Adware advertises a commercial offering actively and without the user's permission or awareness. whose payload is a malicious application—the bot. multiple systems submit as many requests as possible to a single Internet computer or service. . such as the Aurora botnet. as they can often gain access to confidential corporate information. The victim is bombarded with phone calls by the bots. • Worms. 2. and the most "high-quality" infected machines. An example is an attack on a victim's phone number. The bot on the infected PC logs into a particular C&C server. spamdexing and the theft of application serial numbers. overloading it and preventing it from servicing legitimate requests.Botnet 50 Formation and exploitation This example illustrates how a botnet is created and used to send email spam. attempting to connect to the internet. or malicious. Compromised machines that are located within a corporate network can be worth more to the bot herder. corporate. 3. The botnet controller community features a constant and continuous struggle over who has the most bots. A spammer purchases the services of the botnet from the operator. including denial-of-service How a botnet works attacks. SMTP and SSH. • Spyware is software which sends information to its creators about a user's activities – typically passwords. but are either advertising. and even government machines. like university. A botnet operator sends out viruses or worms. The botnet focuses on recruiting other hosts. Several targeted attacks on large corporations aimed to steal sensitive information. click fraud. 1. • Click fraud occurs when the user's computer visits websites without the user's awareness to create false web traffic for personal or commercial gain. The spammer provides the spam messages to the operator. who instructs the compromised machines via the control panel on the web server. Botnets are exploited for various purposes. login IDs. annoying. 4. causing them to send out spam messages. for example by replacing banner ads on web pages with those of another advertiser. infecting ordinary users' computers. • Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. credit card numbers and other information that can be sold on the black market.[7] Types of attacks • In distributed denial-of-service attacks. creation or misuse of SMTP mail relays for spam (see Spambot). and financial information such as credit card numbers.[8] • E-mail spam are e-mail messages disguised as messages from people. the highest overall bandwidth. • Brute-forcing remote machines services such as FTP.

Removing such services can cripple an entire botnet. Passive OS fingerprinting can identify attacks: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting. Mega-D features a slightly modified SMTP protocol implementation for testing spam capability. which only the commander has. For example. Umbra Data and Damballa have announced offerings to counter botnets. and all data except the binary itself can be encrypted. eliminating that approach.org. For example. A network based intrusion detection system (NIDS) can be effective. Norton AntiBot was aimed at consumers. but most target enterprises and/or ISPs. shutting down C&C servers. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional anti-virus software. Security companies such as Afferent Security Labs. Symantec. . nullrouting DNS entries. it can install malware and recruit the host into a botnet.com. NIDS monitors a network: it sees a protected host in terms of external interfaces to the rest of the network.[12] The botnet server structure mentioned above has inherent vulnerabilities and problems. a spyware program may encrypt all suspected passwords with a public key hard coded or distributed with the bot software. Trend Micro. For example users can be induced to buy a rogue anti-virus to regain access to their computer.Botnet • Scareware is software that is marketed by creating fear in users. Commanders can be identified just through secure keys. A large botnet that learns it is being studied can even attack those studying it.[11] Some botnets use free DNS hosting services such as DynDns. finding one server with one botnet channel can often reveal the other servers. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server. The most serious preventive measures use rate-based intrusion prevention systems using specialized hardware. recent IRC server software includes features to mask other connected servers and bots. Researchers at Sandia National Laboratories are analyzing botnets behvior by simultaneously running one million [13] Linux kernels as virtual machines on a 4. Some botnets are capable of detecting and reacting to attempts to figure out how they work. as well as their bots. No-IP. For example. with command-and-control embedded into the botnet rather than relying on C&C servers. avoiding any single point of failure. However.480-node high-performance computer cluster. and gets results by network packet analysis.[9] • Exploiting systems by observing users playing online games such as poker and see the players' cards. The implementation differences can be used for detection of botnets. A botnet server structure that lacks redundancy is vulnerable to at least the temporary disconnection of that server. Once installed. they provide reference points (often hard-coded into the botnet executable).[10] 51 Countermeasures The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of filtering. or completely shutting down IRC servers. can the data captured by the bot be read.org to point a subdomain towards an IRC server that harbors the bots. Some newer botnets are almost entirely P2P. FireEye. Only with the private key. Network-based approaches tend to use the techniques described above. While these free DNS services do not themselves host attacks. rather than as a single system. and Afraid. Some botnets implement custom versions of well-known protocols.

Cryptic Danmec.000 12. Cotmonger. Locksky Pokier.000 260.000 509. Peacomm.000 (US [18] Only) 1.000 20.000 495.500.Spammer. Kneber Oficla Aliases 2009 (May) 2008 (around) 2008 (November) 2010 (around) ? BredoLab Mariposa Conficker TDL4 Zeus 10.000 [15] [16] Spam capacity 3.000 [19] [20] 2007 (Around) 2008 (Around) 2009 (Around) ? ? 2007 (March) ? 2004 (Early) ? ? ? 2006 (Around) ? 2008 (November) ? ? ? ? ? 2008 (Around) 2010 (March) 2011 (March) 2012-07-19 Cutwail Sality Grum Mega-D Kraken Srizbi Lethic Bagle Bobax Torpig Storm Rustock Donbot Waledac Maazben 74 billion/day ? 39. Kido TDSS.000 [17] 3. Slogger. Mitglieder.600.000 160.000 50.000[31] Gheg ?? Wopla Asprox Spamthru 30.000 15. Covesmer. Bachsoy Waled.7 billion/day 9 billion/day n/a 3 billion/day 30 billion/day 0.000 1.000+ 4.8 billion/day 0. Anserin Nuwar.000 180.6 billion/day ? 0. Xmiler [21] [22] [23] [24] [25] [25] [25] [26] [27] [28] [29] [30] [25] Onewordsub 40.5 billion/day 0.9 billion/day 10 billion/day 9 billion/day 60 billion/day 2 billion/day 5. Wsnpoem.000 80.5 billion/day 1.000 [25] [31] [31] [32] [31] . Pushdo) Sector.000 150.000 560. Lodeight Bobic.8 billion/day 1.000 230. Mondera Loosky. Exchanger none Beagle.000. Kuku Tedroo Ozdok Kracken Cbeplay.000. Waledpak None ? Tofsee. DownAndUp.24 billion/day 5 billion/day 0. Zhelatin RKRustok.6 billion/day ? 10 billion/day ? n/a DownUp.000 12. DownAdUp.000 20. Oderoor.500.000. Hacktool. PRG.Botnet 52 Historical list of botnets Date created Date dismantled 2010-Oct (partial) 2009-Dec Name Estimated no. Hydraflux Spam-DComServ.500.35 billion/day Pandex. Alureon Zbot. of bots [14] 30. Gorhax.000 450. Costrat Buzus.000 125. Kraken Sinowal.000 185. Mutant (related to: Wigon.

com. Retrieved 2011-11-10. [17] "Cómo detectar y borrar el rootkit TDL4 (TDSS/Alureon)" (http:/ / infoaleph.000 infected machines. Cho. pdf).com. Retrieved 7 April 2011. Puri (2003-08-08).com" (http:/ / www2. Damballa. ISBN 978-1-59749-135-8. . html?page=all). Retrieved 2011-07-11.. DSL Reports. Santa Barbara took control of a botnet that was six times smaller than expected. 0_Trojan_horses). R. D. html). 2002. it is common that users change their IP address a few times in one day.000 computers. SANS Institute.The average botnet size is now about 20. 2009-07-22.5 billion/day 0. .. Botnets the killer web app ([Online-Ausg. News Briefs (IEEE Computer Society).. . [4] "what is a Botnet trojan?" (http:/ / www. Damballa. . [11] al. . Retrieved July 22. [8] "Operation Aurora — The Command Structure" (http:/ / www. com/ news/ 2009/ 072209-botnets. 2011-07-03. damballa. . Retrieved 7 April 2011.com. Retrieved 2011-04-23. DSLReports. MA: Syngress Publishing. Ring0. f-secure.] ed. damballa. com/ weblog/ archives/ 00001584. com/ faq/ 14158). Retrieved 2010-07-30. com/ article/ 159316/ fake_infection_warnings_can_be_real_trouble. . Msmvps.15 billion/day 2. 2009-01-16. according to Mark Sunner. In some countries. 2010-02-02.300. Pixoliz 53 [25] 10. Networkworld. [14] "Infosecurity (UK) . . Retrieved 2011-11-10. com/ 2011/ 07/ 03/ como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/ ).000 ? • Researchers at the University of California. Retrieved 2010-10-22. . 2009-08-12. networkworld.[34] • All botnets listed here affect only Microsoft Windows systems. [12] C. canada. "The size of bot networks peaked in mid-2004. p. References [1] Ramneek.com.000+ [25] 0. . [et (2007). "Fake Infection Warnings Can Be Real Trouble" (http:/ / www. 156. Retrieved 2010-07-30. dslreports. Song. aspx). com/ news/ 4660/ korean-poker-hackers-arrested). "5". 8 June 2009. org/ comp/ mags/ co/ 2006/ 04/ r4017. org/ reading_room/ whitepapers/ malicious/ bots-botnet-overview_1299) (PDF). Estimating the size of the botnet by the number of IP addresses is often used by researchers. 2010 ACM Conference on Computer and Communications Security. [2] Credeur. and Virus FAQ" (http:/ / www.com. . com/ downloads/ r_pubs/ WP Botnet Communications Primer (2009-06-04).. Damballa. Retrieved 2011-06-21. Babic.000 ? ? None None none LowSecurity. . and D. Retrieved 2010-07-30.com. possibly leading to inaccurate assessments. Erik (2009-02-10). IT Security & Network Security News. com/ index.Tools Rlsloup.25 billion/day ? [33] 1. . Craig A. . Retrieved 2011-11-10. Mary.com. wordpress. [10] 8 Jul 2010 (2010-07-08). com/ blogs/ harrywaldron/ archive/ 2010/ 02/ 02/ pushdo-botnet-new-ddos-attacks-on-major-web-sites. Retrieved 2011-11-10. [16] "Calculating the Size of the Downadup Outbreak — F-Secure Weblog : News from the Lab" (http:/ / www. php/ Pubs/ CCS10botnets).Botnet 2010 (January) ? 2009 (August) 2008 (Around) 2007 LowSec Xarvester Festi Gumblar Akbot 11. html?id=3333655). [5] Botnet Communication Topologies (http:/ / www. 10 June 2009.gamingsupermarket. com/ faq/ trojans/ 1.Y.BredoLab downed botnet linked with Spamit.canada. Shin. kasperskytienda. gamingsupermarket. with many using more than 100. html). . "Atlanta Business Chronicle. sans. domagoj-babic. [19] "Pushdo Botnet — New DDOS attacks on major web sites — Harry Waldron — IT Security" (http:/ / msmvps.com. FreeMoney.es. com/ research/ aurora/ ). . Inference and Analysis of Formal Models of Botnet Command and Control Protocols (http:/ / www. chief technology officer at MessageLabs. com/ downloads/ d_pubs/ WP Many-to-Many Botnet Relationships (2009-05-21). wordpress.). [6] "Hackers Strengthen Malicious Botnets by Shrinking Them" (http:/ / csdl2. computer. April 2006. Schiller . "Korean Poker Hackers Arrested" (http:/ / poker. pdf) (PDF). com/ 2011/ 07/ 03/ como-detectar-y-borrar-el-rootkit-tdl4-tdssalureon/ ). [18] "America's 10 most wanted botnets" (http:/ / www. bizjournals. Rockland. [9] Larkin.canada. "Bots &. F-secure. Botnet: An Overview" (http:/ / www. html). eweek. com/ atlanta/ stories/ 2002/ 07/ 22/ story4. Retrieved 2010-04-24. [13] "Researchers Boot Million Linux Kernels to Help Botnet Research" (http:/ / www. Poker. [15] "Suspected 'Mariposa Botnet' creator arrested" (http:/ / infoaleph. [3] Many-to-Many Botnet Relationships (http:/ / www. pcworld. pdf). damballa. he said." [7] "Trojan horse. . bizjournals. PCWorld.]. com/ c/ a/ Security/ Researchers-Boot-Million-Linux-Kernels-to-Help-Botnet-Research-550216/ ?kc=EWKNLLIN08182009STR2). Staff Writer" (http:/ / www. com/ topics/ technology/ story. . broadbandreports.

co. Retrieved 2011-04-23. uk/ 2008/ 05/ 14/ asprox_attacks_websites/ ). co. [21] "Research: Small DIY botnets prevalent in enterprise networks" (http:/ / www. Mega-D Botmaster to Stand Trial" (http:/ / garwarner. theregister. • The Shadowserver Foundation (http://www. jhtml?articleID=211201307). Retrieved 2010-12-06. .com/proxy/) (including administration screenshots). "Botnet size may be exaggerated. Retrieved 2010-07-30. . uk/ 2010/ 03/ 16/ waledac_takedown_success/ ).co. [34] Espiner. Retrieved 2010-07-30.An all volunteer security watchdog group that gathers. and reports on malware. pdf). [32] "Botnet sics zombie soldiers on gimpy websites" (http:/ / www.Botnet [20] "Sality: Story of a Peer-to-Peer Viral Network" (http:/ / www. blorge.com/wiki/ Build_your_own_botnet_with_open_source_software) • The Honeynet Project & Research Alliance (http://www. [28] Chuck Miller (2008-07-25). [27] "Storm Worm network shrinks to about one-tenth of its former size" (http:/ / tech. svl=news1_1). 2010-03-16. 2008-05-14. html).org/project/lred) .honeynet. "Researchers hijack control of Torpig botnet" (http:/ / www.eweek. 54 External links • Wired. . . "The Rustock botnet spams again" (http:/ / www. uk/ 2/ hi/ technology/ 7749835.nanog. . ZDNet.Real-time database of malicious botnet command and control servers.be/maarten/mobbot. [29] "Spam Botnets to Watch in 2009 | Dell SecureWorks" (http:/ / www. com/ blog/ security/ research-small-diy-botnets-prevalent-in-enterprise-networks/ 4485). 2008-11-26.shadowserver. Tech.Blorge. Retrieved 2010-07-30. The Register. [31] Gregg Keizer (2008-04-09). Computerworld. . Retrieved 2010-07-30.html) . [22] Warner. co.11/botnet. • NANOG Abstract: Botnets (http://www. com/ research/ threats/ botnets2009/ ). com/ Structure: / 2007/ 10/ 21/ 2483/ ). Retrieved 2012-01-16. • Mobile botnets (http://www. modem. Retrieved 2011-04-23. Symantec. com/ 2010/ 12/ oleg-nikolaenko-mega-d-botmaster-to.com . Retrieved 2011-11-12. "Top botnets control 1M hijacked computers" (http:/ / www. [25] http:/ / www.org) . DarkReading. etc) addresses (http://luno. html).com. bbc.3 million computers" (http:/ / www.darkreading.John Kristoff's NANOG32 Botnets presentation. . zdnet. scmagazineus. botnet activity. The Register. secureworks. [24] "Technology | Spam on rise after brief reprieve" (http:/ / news.00. Retrieved 2011-11-10. co.html) at Wired • Dark Reading . 2007-10-21. pdf [26] Chuck Miller (2009-05-05). The H security. "Know your Enemy: Tracking Botnets".1895. • EWeek. theregister. . • List of dynamic (dsl. • Attack of the Bots (http://www.pdf) . uk/ news/ security-threats/ 2011/ 03/ 08/ botnet-size-may-be-exaggerated-says-enisa-40092062/ ). CyberCrime & Doing Time. symantec. [30] "Waledac botnet 'decimated' by MS takedown" (http:/ / www.asp).Com.Filter SMTP mail for hosts likely to be in botnets. . says Enisa | Security Threats | ZDNet UK" (http:/ / www.com/document. Retrieved 2010-04-24.Intrusive analysis of a web-based proxy botnet (http://lowkeysoft. . [33] "New Zealand teenager accused of controlling botnet of 1. zdnet. SC Magazine US. BBC News. SC Magazine US.wired.2029720. "Oleg Nikolaenko.Is the Botnet Battle Already Lost? (http://www. .arbor. 2007-11-30.daemon. h-online. scmagazineus.An economic and technological assessment of mobile botnets. com/ mlireport/ MLI_2010_04_Apr_FINAL_EN. Retrieved 2012-01-12. computerworld.com/wired/archive/14.org/papers/bots/). .org/meetings/nanog32/presentations/kristoff. . stm). . Zdnet. • ATLAS Global Botnets Summary Report (http://atlas.net/summary/botnets) . . blogspot. com/ security/ news/ item/ New-Zealand-teenager-accused-of-controlling-botnet-of-1-3-million-computers-734068. • Lowkeysoft . com/ security/ perimeter/ showArticle. com/ connect/ sites/ default/ files/ sality_peer_to_peer_viral_network. Gary (2010-12-02). cable.uk. Secureworks. Retrieved 2011-11-10. com/ researchers-hijack-control-of-torpig-botnet/ article/ 136207/ ). 2011-08-03.wired. Tom (2011-03-08). Retrieved 2011-04-23.com/article2/0. messagelabs. tracks. darkreading. and electronic fraud. [23] "New Massive Botnet Twice the Size of Storm — Security/Perimeter" (http:/ / www.asp?doc_id=122116&WT.Botnets Battle Over Turf (http://www. com/ the-rustock-botnet-spams-again/ article/ 112940/ ). com/ s/ article/ 9076278/ Top_botnets_control_1M_hijacked_computers).com How-to: Build your own botnet with open source software (http://howto.

milcord.Botnet • FBI LAX Press Release DOJ (http://losangeles.FBI April 16.gov/dojpressrel/pressrel08/la041608usa.com/columnists/501) .DHS-sponsored R&D project that uses machine learning to adaptively detect botnet behavior at the network-level • A Botnet by Any Other Name (http://www. 55 .securityfocus.com/wiki/Botnet_Defense) .fbi. 2008 • Milcord Botnet Defense (http://wiki.htm) .SecurityFocus column by Gunter Ollmann on botnet naming.

a COM file is a type of executable file. a text file containing commands to be issued to the operating system (similar to a DOS batch file). the name is derived from the file name extension . Since it lacks relocation information. MS-DOS COM files contain x86 instructions and possibly MS-DOS system calls. This simplicity exacts a price: the binary has a maximum size of 65. at offset 0100h immediately following the PSP.COM file name extension has no relation to the . preceded by code selecting the one to use. and no other. since C9h corresponds to the 8080 instruction RET. Note that before the introduction of MP/M and Concurrent CP/M there was no possibility of running more than one program or command at a time: the program loaded at 0100h was run. Although the file format is the same in MS-DOS and CP/M. they are binary executable files by convention. and later in MS-DOS and compatible DOSes. There is no true compatibility at the instruction level. only code and data.[1] With the introduction of microcomputers.280 (FF00h) bytes (256 bytes short of 64 KiB) and stores all its code and data in one segment.536 bytes of memory could be addressed (address range 0000h to FFFFh). segmented memory. only 65. this means that the COM file will immediately terminate if run on an earlier version of CP/M that . while CP/M COM files contain 8080 instructions (programs restricted to certain machines could also contain additional instructions for 8085 or Z80) and CP/M system calls. from 0000h to 00FFh were reserved for system use by the zero page.COM files for the two operating systems are not compatible. In the Intel 8080 CPU architecture. on many of the Digital Equipment Corporation mini and mainframe operating systems going back to the 1970s. and make program execution jump to the section for the operating system in use. MS-DOS binary format The COM format is the original binary executable format used in CP/M and MS-DOS.COM Type of format Executable In many computer operating systems. and contains no metadata. the term stood for "Command file".COM. if the first byte of a COM file is C9h there is a 256-byte header. However. but it is the main reason why the format fell into disuse soon after the introduction of 16.COM file which will run under both operating systems.and then 32-bit processors with their much larger. it is loaded by the operating system at a pre-set address. Originally. This was not an issue on early 8-bit machines because of how the segmentation model works. where it is executed (hence the limitation of the executable's size). The . a "fat binary". It is very simple.com (for "commercial") top-level Internet domain name. Executables in the COM file format do not necessarily need to have the file name extension . in 8-bit CP/M. COM files fit this model perfectly.com changed. Under CP/M 3. . the type of files commonly associated with the extension . and any user program had to be loaded at exactly 0100h to be executed. this similarity in name has been exploited by malicious computer virus writers. the first 256 bytes of this memory. it has no header (with the exception of CP/M 3 files). It is possible to make a . the instructions at the entry point are chosen to be equal in functionality but different in both operating systems. It is basically two different programs with the same functionality in a single file.COM in any but CP/M and very early versions of MS-DOS.COM file 56 COM file COM Filename extension . Under CP/M.

the COMMAND. the COM file is preferentially selected for execution. providing its own memory management system. For example. Windows Vista. if a directory contains both a COM file and an EXE file with same name (not including extension).COM format for complex programs.COM. Windows XP. After execution.com for their creations. On Windows NT and derivatives (Windows 2000. if the necessary code is included in the .exe can explicitly use the complete filename: C:\>foo. the executable loader in some versions of DOS rejects COM files that start with C9h. or arbitrarily complex.com and foo. if a directory in the system path contains two files named foo. the operating system command shell. indicated by the first two bytes being MZ (4Dh 5Ah).EXE format is that the binary image is usually smaller and easier to program using an assembler. Programs larger than available memory.COM system. In the .[2] Once compilers and linkers of sufficient power became available it was no longer advantageous to use the . and Windows 7). Files may have names ending in .com: C:\>foo A user wishing to run foo. 4OS2. or large data segments. a command or batch file may accidentally trigger their program instead of the text editor notepad. but the system loader assumes that all code and data is in the first segment.) C9h is an invalid opcode on the 8088/8086.exe Taking advantage of this default behaviour. Since C9h is the opcode for LEAVE since the 80188/80186 and therefore not used as the first instruction in a valid program. this is indicated by a magic number at the start of the file.0 is actually in DOS executable format. Execution preference In MS-DOS. The advantage of using the .COM rather than . which provided a loader to load other COM or EXE programs.COM program to provide any further organization. the PATHEXT variable is used to override the order of preference (and acceptable extensions) for calling files without specifying the extension from the command line. this works on all three processors. The default value still places . using a single segment. .COM program. there is no memory management provided for COM files by the loader or execution environment. but not be in the simple format described above.exe.COM file does not support this extension. This leaves the possibilities that the COM file can either be very simple. the following would execute foo. hoping that if it is placed in the same directory as the corresponding EXE file. COMMAND. is reloaded. An example of a complex program is COMMAND. 57 Large programs In MS-DOS and compatible DOSes.com files before . This closely resembles a feature previously found in JP Software's line of extended command line processors 4DOS.COM file in DR DOS 6.COM. the MS-DOS shell. larger programs (up to the available memory size) can be loaded and run. and it will cause an INT 6 exception in v86 mode since the 386. avoiding a crash.exe files. For example. All memory is simply available to the COM file. the initials of Mark Zbikowski.exe. can be handled by dynamic linking. (Because the instruction sets of the 8085 and Z80 are supersets of the 8080 instruction set. and 4NT. and it is up to the .COM. virus writers and other malicious programmers have used names like notepad.

txt) has a reference book for the RT-11 operating system running on the PDP-11 minicomputer. Unwary Microsoft Windows users clicking on such an attachment would expect to begin browsing a site named http://www.3 that . E-mail has been sent with attachment names similar to "www.example.co.com command files and . on any platform supported by these emulators. along with their more likely familiarity with the . Windcrest Books. Note that there is nothing malicious about the COM file format itself. "ch.uk/Cpm/ rsxrec.com file extension and associated binary format.). which is not present in 64-bit variants. skrenta. 2". which shows in section 5.example. 16.COM file 58 Platform support The format is still executable on many modern Windows-based platforms.com Internet domain name.COM is used to refer to a command file [2] Scanlon. (1991). this is an exploitation of the coincidental name collision between . External links • John Elliott's article on the extended CP/M-80 3.demon. Malicious usage of the .html) . ISBN 0-8306-7649-X.0 COM file header (http://www. Leo J. NTVDM. giving it full permission to do to their machine whatever its author had in mind. COM files can be executed also on DOS emulators such as DOSBox.com/.com commercial web sites. pp.com extension Some computer virus writers have hoped to take advantage of modern computer users' likely lack of knowledge of the .com". but instead would run the attached binary command file named www. Assembly Language Subroutines for MS-DOS (2nd ed. com/ pdpbook.example. References [1] This site (http:/ / www. but it is run in an MS-DOS-emulating subsystem.seasip.

later distributed two internal papers in Microsoft that embraced the concept of software components: Object Architecture: Dealing With the Unknown – or – Type Safety in a Dynamically Extensible Class Library in 1988 and On Inheritance: What It Means and How To Use It in 1990. COM is very similar to other component software interface technologies. COM and OLE 2 were designed to address software components in general.[1] the Windows Communication Foundation (WCF). and was later included with Windows. . as it forces component implementers to provide well-defined interfaces that are separate from the implementation. was built on top of DDE and designed specifically for compound documents. Microsoft introduced Visual Basic Extensions (VBX) with Visual Basic 1. Networked DCOM uses binary proprietary formats. ActiveX. Casting between different interfaces of an object is achieved through the QueryInterface() function. While OLE 1 was focused on compound documents. However. The term COM is often used in the Microsoft software development industry as an umbrella term that encompasses the OLE. The COM Application binary interface (ABI) was the same as the MAPI ABI. In 1991. Antony Williams. first introduced in 1987. COM objects can be used with all . that allowed sending and receiving messages in so-called "conversations" between applications. when version 3. In 1992. The different allocation semantics of languages are accommodated by making objects responsible for their own creation and destruction through reference-counting.Component Object Model 59 Component Object Model Component Object Model (COM) is a binary-interface standard for software componentry introduced by Microsoft in 1993. These were later adapted for use by other languages such as Visual C++. These provided the foundation of many of the ideas behind COM. even across machine boundaries. An example of a compound document is a spreadsheet embedded in a Word for Windows document: as changes are made to the spreadsheet within Excel. starting with version 3. they appear automatically inside the Word document. History One of the first methods of interprocess communication in Windows was Dynamic Data Exchange (DDE). For well-authored components. The preferred method of inheritance within COM is the creation of sub-objects to which method calls are delegated. It was introduced with Word for Windows and Excel in 1991. Overview The essence of COM is a language-neutral way of implementing objects that can be used in environments different from the one in which they were created. OLE Automation. while WCF encourages the use of XML-based SOAP messaging. Microsoft's first object-based framework. although each has its own strengths and weaknesses. Object Linking and Embedding (OLE). Text conversations and Windows messages had proved not to be flexible enough to allow sharing application features in a robust and extensible way. COM is an interface technology defined and implemented as standard only on Microsoft Windows and Apple's Core Foundation 1. which was released in 1992. Microsoft released OLE 2 with its underlying object model.NET languages through . COM+ and DCOM technologies.1 of Windows was released. and OLE changed to OLE2. one of the most notable thinkers involved in the creation of the COM architecture.1 in 1992.NET COM Interop. It is used to enable interprocess communication and dynamic object creation in a large range of programming languages. COM allows reuse of objects with no knowledge of their internal implementation. A VBX is a packaged extension in the form of a dynamic-link library (DLL) that allowed objects to be graphically placed in a form and manipulated by properties and methods. so COM was created as a new foundation.0.3 and later plug-in API. such as CORBA and Java Beans.

. as well as to position Windows as an alternative to other enterprise-level operating systems. In early 1996. COM+ events extend the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system. expanding their Web browser's capability to present content.installing an MTS component would modify the Windows Registry to call the MTS software. disconnected applications.NET.NET Language including C#. Visual Basic and C++/CLI. Components that made use of COM+ services were handled more directly by the added layer of COM+. it was easy to do for developers. providing high performance. The . and provided a new way of leveraging MSMQ (inter-application asynchronous messaging) with components called Queued Components.NET Microsoft .NET framework provides rapid development tools similar to Visual Basic for both Windows Forms and Web Forms with just-in-time compilation.NET providing wrappers to the most commonly used COM controls. Therefore. Microsoft stated that OLE 2 would just be known as "OLE". event publication and subscription. COM remains the viable technology. but a name for all of the company's component technologies. interception was tacked on . COM+ In order for Microsoft to provide developers with support for distributed transactions. Microsoft itself uses COM for modern operating system components like the ribbon control provided in Windows 7 and Windows 8. and not the component directly. Components could also be distributed (called from another machine). influenced development of a number of supporting technologies.Component Object Model In 1994 OLE custom controls (OCXs) were introduced as the successor to VBX controls. Windows 2000 also revised the Component Services control panel application used to configure COM+ components. as such. powerful and low-bandwidth-consumption remoting and unparallelled stability due to its nearly two decades of existence and improvement.NET provides means both to interact with COM+ (via COM-interop-assemblies). Microsoft found a new use for OLE Custom Controls. could be pooled and reused by new calls to its initializing routine without unloading it from memory. DCOM was introduced as an answer to CORBA. With Windows 2000. In the first release of MTS. with . Despite this. COM is still often used to hook up complex. better memory and processor (thread) management. that significant extension to COM was incorporated into the operating system (as opposed to the series of external tools provided by MTS) and renamed COM+. and gradually renamed all OLE technologies to ActiveX. resource pooling. At the same time. besides hundreds of other COM components in their standard . An advantage of COM+ was that it could be run in "component farms". COM+ also introduced a subscriber/publisher event mechanism called COM+ Events. and to provide component technology. so although DCOM was used to actually make the remote call. Microsoft now focuses much of its marketing efforts on . high performance code to front end code implemented in Visual Basic or ASP. back-end code can be implemented in any . in particular by operating system support for interception. Later that year. Microsoft introduced a technology called Microsoft Transaction Server (MTS) on Windows NT 4. Microsoft de-emphasized DCOM as a separate entity. At the same time. and that OLE was no longer an acronym. if coded properly. 60 Related technologies COM was the major software development platform for Windows and. COM+ and Microsoft Visual Studio provided tools to make it easy to generate client-side proxies. except the compound document technology that was used in Microsoft Office. Instances of a component. renamed some parts of OLE relating to the Internet ActiveX.

See COM Interop.[3] From both the COM and . . while being especially C++-friendly – COM paradigma. These malware attacks mostly depend on ActiveX for their activation and propagation to other computers. any lean. although relying on an enhanced COM. 61 Windows Runtime Microsoft's new Windows Runtime (or WinRT. stored in ".EnterpriseServices namespace several of the services that COM+ provides have been duplicated in recent releases of .NET uses with a few modifications. and later by the .NET by implementing a runtime callable wrapper (RCW). objects using the other technology appear as native objects. the user is prompted whether to allow the installation or not. In addition to being able to leverage COM+ in . unplug your computer.Transactions namespace in . or to allow only a selected few. which provides transaction management without resorting to COM+. and much simpler syntax. Because of its COM-like basis.NET. There is limited support for backward compatibility. This common metadata format allows for significantly less overhead when invoking WinRT from . The API definitions are.[2] NET objects that conform to certain interface restrictions may be used in COM objects by calling a COM callable wrapper (CCW). queued components can be replaced by Windows Communication Foundation with an MSMQ transport (MSMQ being a native COM component. For example. Java applets) created a combination of problems in the Internet Explorer web browser that has led to an explosion of computer virus. Many of these problems have been addressed by the introduction of "Authenticode" code signing (based on digital signatures).Component Object Model installation. just as COM does.NET provides the TransactionScope class.NET applications compared to a P/Invoke. It is also ideal for script control of applications such as Office or Internet Explorer since it provides an interface for calling COM object methods from a script rather than requiring knowing the API at compile time.winmd" files. A COM object may be used in . WCF (Windows Communication Foundation) eases a number of COM's remote execution challenges. Microsoft recognized the problem with ActiveX as far back as 1996 when Charles Fitzgerald. high performance components continue to use the language-independent. however. … We never made the claim up front that ActiveX is intrinsically secure. The GUID system used by COM has wide uses any time a unique ID is needed.g.NET sides. However.NET platform. native API. there are fewer restrictions on what the code can do. program manager of Microsoft's Java team said "If you want security on the 'Net'.NET hides most detail from component creation and therefore eases development. Windows Runtime allows relatively easy interfacing from multiple languages. trojan and spyware infections. but it's essentially an unmanaged.g. the same format that ."[4] As COM and ActiveX components are run as native code on the user's machine. allowing objects to be transparently marshalled by value across process or machine boundaries more easily. however). Microsoft . Another security measure is that. enabling the user to disallow the installation of controls from sites that the user does not trust. Similarly. Internet security Microsoft's idea of embedding active content on web pages as COM/ActiveX components (rather than e.NET via the System. which are encoded in ECMA 335 metadata format. e. the System. before an ActiveX control is installed. It is also possible to disable ActiveX controls altogether. not to be confused with Windows RT) programming and application model is essentially a COM-based API.

whether the component supports operations like 'Open'.Component Object Model 62 Technical details COM programmers build their software using COM-aware components. It has the expected Read and Write methods to perform stream reads and writes. Delphi. which are Globally Unique Identifiers (GUIDs).g. All access to components is done through the methods of the interfaces. and thus all COM interfaces are derived from IUnknown. A COM component's interfaces are required to exhibit the reflexive. or even inter-computer programming (the latter using the support of DCOM). The different interfaces supported by a component are distinguished from each other using interface IDs (IIDs). An interface consists of a pointer to a virtual function table that contains a list of pointers to the functions that implement the functions declared in the interface. which is exposed by components that have data stream semantics (e. in the same order that they are declared in the interface. The effect of QueryInterface() is similar to dynamic_cast<> in C++ or casts in Java and C#. Delphi. For example. IOleObject contains methods that allow callers to determine the size of the component's bounding rectangle.0 to communicate with its system libraries.g. interface A is retrievable from interface B as well. multiple implementations. which implement reference counting and control the lifetime of interfaces. The IUnknown interface consists of three methods: AddRef() and Release(). . e. it should be thought of as a blueprint that describes the object. Different component types are identified by class IDs (CLSIDs). Another standard interface is IOleObject. such as C. etc. an application can choose to instantiate an interface from one of many different concrete implementations. This means that at runtime. In COM. An extension of this fundamental concept is the notion of one interface. such concrete implementations can be written in any programming language that supports COM component development. Visual Basic. A class can be a group of similar objects or a class is simply a representation of a type of object. 'Save' and so on. a FileStream component used to read or write files). which are GUIDs too. The symmetric property requires that when interface B is retrieved from interface A via QueryInterface(). This allows techniques such as inter-process. Interfaces All COM components must (at the very least) implement the standard IUnknown interface. The reflexive property refers to the ability for the QueryInterface() call on a given interface with the interface's ID to return the same instance of the interface. then interface C should be retrievable from interface A. COM interfaces have bindings in several languages. and transitive properties. and several of the scripting languages implemented on the Windows platform. One of COM's major contributions to the world of Windows development is the awareness of the concept of separation of interface from implementation. Classes A class is COM's language-independent way of defining a class in the object-oriented sense. C++. which is exposed by components that expect to be linked or embedded into a container. which by specifying an IID allows a caller to retrieve references to the different interfaces the component implements. This technique of passing structures of function pointers is very similar to the one used by OLE 1. The transitive property requires that if interface B is obtainable from interface A and interface C is obtainable from interface B. COM specifies many other standard interfaces used to allow inter-component communication. C++. Visual Basic. A coclass supplies concrete implementation(s) of one or more interfaces. one such interface is IStream. symmetric. and QueryInterface(). Each COM component exposes its functionality through one or more interfaces.

}. The IDL file is compiled by the MIDL compiler into a pair of forms for consumption from various languages. . Each COM type is designated its own GUID for identification at runtime (versus compile time).g. It is a platform for the realization of Object-Oriented Development and Deployment. COM IDL is similar in appearance to C/C++ declarations with the addition of keywords such as "interface" and "library" for defining interfaces and collections of classes. to start with the definition of types using IDL. types have to be individually identifiable and specifiable at runtime. An IDL file is what COM provides that allows developers to define object-oriented classes. . In order for information on COM types to be accessible at both compile time and runtime.. source] dispinterface _IMyObjectEvents.e.TLB (and ultimately that which was defined in the originating IDL file).Component Object Model 63 Interface Definition Language and type libraries Type libraries contain metadata that represent COM types.TLB file).. VB. COM uses type libraries. Because COM is a runtime framework. interfaces.. The binary metadata contained within the type library is meant to be processed by language compilers and runtime environments (e.). such as the GUIDs of interfaces and the relationships between pointer parameters and length fields. respectively. The end result of such TLB processing is that language-specific constructs are produced that represent the COM class defined in the . The above code fragment declares a COM class named CSomeObject which must implement an interface named ISomeInterface and which supports (not implements) the event interface _IMyObjectEvents. This proxy contains method stubs for converting COM calls into Remote Procedure Calls. An IDL file may also be compiled by the MIDL compiler into a type library (. Ignoring the event interface bit.. This is the common practice in the development of a COM component. To achieve this. the MIDL compiler generates a compiler-independent header file containing struct definitions to match the vtbls of the declared interfaces and a C file containing declarations of the interface GUIDs... i. COM as an object framework The fundamental principles of COM have their roots in Object-Oriented philosophies.NET CLR etc. It is through the effective use of type libraries that COM achieves its capabilities as a dynamic framework for the interaction of objects. this is conceptually equivalent to defining a C++ class like this: class CSomeObject : public ISomeInterface { . enumerations and other user-defined types in a language independent manner. [default. these types must first be described using Microsoft Interface Definition Language. However. . thus enabling DCOM. C++ source code for a proxy module can also be generated by the MIDL compiler. Delphi. For C/C++. the . Consider the following example coclass definition in an IDL : coclass CSomeObject { [default] interface ISomeInterface. structures. IDL also requires the use of bracketed attributes before declarations to provide additional information. globally unique identifiers (GUIDs) are used.

the onus is on the individual language compiler to read and appropriately interpret this Type Library and then produce whatever code (in the specific compiler's language) necessary for a developer to implement and ultimately produce the binary executable code which can be deemed by COM to be of coclass MyObject. Referring once again to the MyObject COM class: once a coclass definition for it has been formalized in an IDL. the COM sub-system is used to obtain a pointer to an object that implements the ISomeInterface interface and coclass CLSID_CSomeObject's particular implementation of this interface is required. and a Type Library compiled from it. IMESSAGEFILTER connects to a CLSID. next comes the question of how to instantiate it. In languages like C++. Once an implementation of a COM coclass is built and is available in the system. where ISomeInterface is a C++ pure virtual class. interfaces and type libraries are listed by GUIDs in the registry. The main feature of the coclass is that it is (1) binary in nature and consequently (2) programming language-independent. + . the following are specified: -> Inprocserver32 = object is to be loaded into a process Path to file/object and readable name HKCR\interface: example: ISTREAM. it contains parameters for linking in COM. COM classes. IRPCSTUB. In the first case. IID_ISomeInterface. The COM libraries use the registry to locate either the correct local libraries for each COM object or the network location for a remote service. (void**)&pISomeInterface). Under the key HKCR\clsid. In the second case. 64 Registry In Windows. then. You can specify NUMMETHODS and PROXYSTUB(if web-object) HKCR\typelib One or more CLSID can be grouped into type library. NULL. CLSCTX_INPROC_SERVER. is conceptually equivalent to the following C++ code: ISomeInterface* pISomeInterface = new CSomeObject(). under HKEY_CLASSES_ROOT\CLSID for classes and HKEY_CLASSES_ROOT\Interface for interfaces.Component Object Model }. A coclass. an instance of a C++ class CSomeObject that implements the interface ISomeInterface is created. we can use the CoCreateInstance() API in which we specify the CLSID (CLSID_CSomeObject) of the coclass as well as the interface (specified by the IID IID_ISomeInterface) from that coclass that we want to use to interact with that coclass. Calling CoCreateInstance() like this: CoCreateInstance(CLSID_CSomeObject. is an object-oriented class in the COM world.

The COM specifications require a technique called reference counting to ensure that individual objects remain alive as long as there are clients which have acquired access to one or more of its interfaces and.g. that the same object is properly disposed of when all code that used the object have finished with it and no longer require it. • Release() must be called on an interface reference before that interface's pointer is overwritten or goes out of scope. this integer value is incremented. AddRef() and Release() are the only means by which a client of a COM object is able to influence its lifetime. a coder may write the reference counting code or use a smart pointer that will manage all the reference counting. the purpose of Release() is to indicate to the COM object that a client (or a part of the client's code) has no further need for it and hence if this reference count has dropped to zero. Using COM in C. • AddRef() and Release() must be called on the specific interface which is being referenced since an object may implement per-interface reference counts in order to allocate internal resources only for the interfaces which are being referenced. Reference counts and feature exploration apply to objects (not to each interface on an object) and thus must have a centralized implementation. Registration-free COM does not require components to be described in the registry. we are actually creating another reference on the underlying object. and object lifetime management by including AddRef() and Release(). Certain languages (e. a COM Object usually maintains an integer value that is used for reference counting. The following is a general guideline calling AddRef() and Release() to facilitate proper reference counting in COM object: • Functions (whether object methods or global functions) that return interface references (via return value or via "out" parameter) should increment the reference count of the underlying object before returning. When Release() is called.Component Object Model The rest of the info in the COM parts of the REGISTRY. AddRef() is called on the interface reference (to be returned). 65 Reference counting The most fundamental COM interface of all. Hence internally within the function or method. • If a copy is made on an interface reference pointer. Conversely. Visual Basic) provide automatic reference counting so that COM object developers need not explicitly maintain any internal reference counter in their source codes. conversely. supports two main concepts: feature exploration through the QueryInterface method. . • Extra calls to these functions are not sent out to remote objects over the wire. A COM object is responsible for freeing its own memory once its reference count drops to zero. explicit reference counting is needed. AddRef() should be called on that pointer. Hence it is imperative that developers be aware that the returned interface reference has already been reference count incremented and not call AddRef() on the returned interface reference yet another time. The internal integer value remains a private member of the COM object and will never be directly accessible. is to give an application/object a CLSID. this integer is decremented. In C++. it may be time to destroy itself. For its implementation. When AddRef() is called via any of object's interfaces. a proxy keeps only one reference on the remote object and maintains its own local reference count. IUnknown (from which all COM interfaces must be derived). After all. The purpose of AddRef() is to indicate to the COM object that an additional reference to itself has been affected and hence it is necessary to remain alive as long as this reference is still valid. An example of this is the QueryInterface() method of the IUnknown interface. in this case.

Also. ATL provides for a higher-level COM development paradigm. implementation of the Singleton and other creation patterns is facilitated. Other libraries and languages that are COM-aware include the Microsoft Foundation Classes. When a class factory is called upon to create a target object.Component Object Model To facilitate and promote COM development. A server which is DLL-based must export a DllGetClassObject() global function. (LPVOID*)&pIClassFactory). the Class ID of the object (to be created) must be supplied. The above code indicates that the Class Factory object of a COM object. A single class factory object may create objects of more than one class. The following C++ code demonstrates this: . COM servers must properly expose them. In order for client applications to be able to acquire class factory objects. By delegating the responsibility of object creation into a separate object. which is identified by the class id CLSID_SomeObject. A Class Factory is itself a COM object. Visual Basic. The object's class factory is obtained via the CoGetClassObject() API (a standard Windows API). is required. IID_IClassFactory. the server code) as the COM object itself. This class factory object is returned by way of its IClassFactory interface. the calling application is shielded from the COM object's memory allocation semantics by the factory object. 66 Instantiation COM standardizes the instantiation (i. a greater level of abstraction is promoted. In order for a COM object to be created. A class factory object is usually contained within the same executable code (i. VBScript. depending on the nature of the server code. by providing smart pointer objects. this is transparent to the COM system. two associated items must exist: • A Class ID. • A Class Factory. CoGetClassObject(CLSID_SomeObject. CLSCTX_ALL.e. and the developer is given greater flexibility. The responsibility of such an object is to create other objects. 2. this target object's class id must be provided. The returned class factory object is then requested to create an instance of the originally intended COM object. The following is a general outline of the sequence of object creation via its class factory: 1. ECMAScript (JavaScript) and Borland Delphi. the VC Compiler COM Support. Microsoft introduced ATL (Active Template Library) for C++ developers. two objects of different class ids may be created by the same class factory object. creation) process of COM objects by requiring the use of Class Factories. It also shields COM client application developers from the need to directly maintain reference counting. This is how the class factory knows which class of object to instantiate.e. A class factory is exposed differently. A server which is EXE-based registers the class factory at runtime via the CoRegisterClassObject() Windows API function. It must also be associated with its own Class Factory (that is achieved by using a centralized registry). It is an object that must expose the IClassFactory or IClassFactory2 (the latter with licensing support) interface. For example. However. As part of the call to CoGetClassObject(). NULL. That is. The following C++ code demonstrates this: IClassFactory* pIClassFactory = NULL. Each COM Class or CoClass must be associated with a unique Class ID (a GUID).

and descriptions of each of the methods of those interfaces. if (pIClassFactory) { pIClassFactory->CreateInstance (NULL. including the selection of appropriate components for a certain task. As a result. pIClassFactory = NULL. However. The above demonstrates. A pointer to the ISomeObject interface of this object is returned. } The above code indicates the use of the Class Factory object's CreateInstance() method to create an object which exposes an interface identified by the IID_ISomeObject GUID. internally. its Release() method must be called). IID_ISomeObject.Component Object Model ISomeObject* pISomeObject = NULL. . e. some of which do not even involve direct use of the Windows APIs. Higher level constructs are also available. These language constructs encapsulate the acquisition of the class factory object of the target object (via the CoGetClassObject() API) followed by the invocation of the IClassFactory::CreateInstance() method. the CoCreateInstance() API can be used by an application to directly create a COM object without acquiring the object's class factory. CoGetClassObject() and the IClassFactory interface remain the most fundamental object creation technique. (LPVOID*)&pISomeObject). through which components can describe themselves. Also note that because the class factory object is itself a COM object. VBScript supplies the New keyword as well as the CreateObject() global function for object instantiation. This way of exploration became awkward for many applications. it needs to be released when it is no longer required (i. Type libraries are typically used by Rapid Application Development (RAD) environments such as Delphi. the IIDs of the interfaces the component implements. PowerBuilder's PowerScript may also provide their own high-level object creation constructs. However. and tools to help a developer understand how to use methods provided by an object. A type library contains information such as the CLSID of a component. COM Type Libraries were introduced. 67 Reflection At the time of the inception of COM technologies. pIClassFactory->Release(). For example. the only way for a client to find out what features an object would offer was to actually create one instance and call into its QueryInterface method (part of the required IUnknown interface). Visual Basic or Visual Studio to assist developers of client applications. Other languages.e. the CoCreateInstance() API itself will invoke the CoGetClassObject() API to obtain the object's class factory and then use the class factory's CreateInstance() method to create the COM object. at the most basic level.g. the use of a class factory to instantiate an object.

a single thread is always used to execute the methods of the object. Method calls made across apartments are achieved via marshalling. across process boundaries within a computer. Thus. After this initial setup.e. querying objects for version information. using the DCOM technology. Calls to an MTA object from a thread in an STA are also marshaled. and Neutral Apartment.e. There are three types of Apartment Models in the COM world: Single-Threaded Apartment (STA).Component Object Model 68 Programming COM is a binary standard (also said to be language agnostic) and may be developed in any programming language capable of understanding and implementing its binary defined data types and interfaces. The only provision is that all methods on the object must be serially reentrant. If the COM object's methods perform their own synchronization. Here the term "apartment" refers to an execution context wherein a single thread or a group of threads is associated with one or more COM objects. method calls from threads outside of the apartment are marshalled and automatically queued by the system (via a standard Windows message queue). instantiating and reference counting COM objects. Out-of-process and remote objects may use marshalling to send method calls and return values back and forth. This requires the use of proxies and stubs. a single thread is dedicated to drive an object's methods. Each apartment represents one mechanism whereby an object's internal state may be synchronized across multiple threads. • Threads and objects which belong to the same apartment are said to follow the same thread access rules.. In an STA model. i. A process can consist of multiple COM objects. . the programmers) are responsible for entering and leaving the COM environment. This is termed the Multiple Threaded Apartment (MTA). Here. some of which may use STA and others of which may use MTA. The marshalling is invisible to the object and the code using the object. none of which is necessarily dedicated to calling methods on the object. and coding graceful degradation of function when newer versions are not available. The Thread Neutral Apartment allows different threads. the apartment with which a thread is associated is also decided at initialization time. Runtime libraries (in extreme situations. Apartments stipulate the following general guidelines for participating threads and objects: • Each COM object is associated with one and only one apartment. Method calls which are made inside the same apartment are performed directly without any assistance from COM. and across a network. threading issues are addressed by a concept known as "apartment models". multiple threads dedicated to calling methods on the COM object are permitted. • Threads and objects from different apartments are said to play by different thread access rules. coding to take advantage of advanced object versions. the object remains in that apartment throughout its lifetime. to make such calls. Threading in COM In COM. The Single-Threaded Apartment (STA) model is a very commonly used model. In such an arrangement. Application and network transparency COM objects may be instantiated and referenced from within a process. Each COM thread also remains in its designated apartment until it terminates. there is no worry about race conditions or lack of synchronicity because each method call of an object is always executed to completion before another is invoked. a thread in which COM objects are created or COM method calls are made) is also associated with an apartment. • A COM thread (i. Multi-Threaded Apartment (MTA). This is decided at the time the object is created at runtime. a COM object stands in a position similar to a desktop application's user interface. Like COM objects.

preventing a reference cycle. when called. thereby breaking the cycle. DirectX or Internet Explorer.Component Object Model 69 Criticisms Since COM has a fairly complex implementation. the object's reference count will never reach zero.[8] If it is present. Message pumping When an STA is initialized it creates a hidden window that is used for inter-apartment and inter-process message routing. which causes a leak of implementation details. RegFree COM RegFree COM (or Registration-Free COM) is a technology introduced with Windows XP that allows Component Object Model (COM) components to store activation metadata and CLSID (Class ID) for the component without using the registry. DLL Hell Because COM components are usually implemented in DLL files and registration allows only a single version of a DLL they are subject to the "DLL Hell" effect. During application loading. the metadata and CLSIDs of the classes implemented in the component are declared in an assembly manifest (described using XML). Only if the lookup fails is the registry scanned. In the split identity technique.[6] This technique has limited support for EXE COM servers[7] and cannot be used for system-wide components such as MDAC. This problem is complicated by some Windows APIs that initialize COM as part of their implementation. failure to do so could cause system-wide deadlocks. The design of an application must take this into account so that objects are not left orphaned. This window must have its message queue regularly pumped. the activation context is first checked to see if an implementation for the CLSID can be found. stored either as a resource in the executable or as a separate file installed with the component. forces it to drop its references to other objects. the loader adds information from it to the activation context [6] When the COM class factory tries to instantiate a class. as well as XCOPY deployment. Reference counting Reference counting within COM may cause problems if two or more objects are circularly referenced. described by their own manifests.[5] This allows multiple versions of the same component to be installed in different directories.[6] . MSXML. Objects may also be left with active reference counts if the COM "event sink" model is used. In the out of band termination technique. the Windows loader searches for the manifest. This creates a weak reference between the COM objects. This construct is known as a message pump. a single implementation exposes two separate COM objects (also known as identities). Since the object that fires the event needs a reference to the object reacting to the event. Instead. On earlier versions of Windows. programmers can be distracted by some of the "plumbing" issues. Reference cycles are typically broken using either out-of-band termination or split identities. Registration-free COM capability eliminates the problem. an object exposes a method which.

apple. aspx?PostID=224935) (Video Webcast.html) from master's thesis • Info: Difference Between OLE Controls and ActiveX Controls (http://support. 2006.microsoft.cs. com/ javaworld/ jw-03-1997/ jw-03-component.microsoft. aspx).msdn.com/com/) • Interview with Tony Williams. Understanding ActiveX and OLE.php?vw=TypeLib) with open source dumper utility. • "Integration and Migration of COM+ services to WCF" (http://msdn. • Box. aspx). 2010.innovatia. Retrieved April 15. . javaworld. microsoft. microsoft.Component Object Model 70 References [2] Runtime Callable Wrapper — MSDN Library (http:/ / msdn. August 2006) • A concise technical overview of COM (http://www. com/ en-us/ library/ ms235531(VS. ISBN 978-1-57231-216-6. .com/en-us/library/bb978523. Retrieved March 7. Retrieved 2008-04-22. microsoft. Addison-Wesley. com/ en-us/ library/ aa374219(VS. 85). • "COM: A Brief Introduction (powerpoint)" (http://www. aspx) [3] COM callable wrapper — MSDN Library (http:/ / msdn. External links • Microsoft COM Technologies (http://www.byethost11. aspx). com/ questions/ 2369181/ how-to-use-an-out-of-process-com-server-without-its-tlb-file). [7] "How to use an out-of-process COM server without its tlb file" (http:/ / stackoverflow.ucr. microsoft. [8] "Concepts of Isolated Applications and Side-by-side Assemblies" (http:/ / msdn. . html#/ / apple_ref/ doc/ uid/ 20001160-102910-BAJFDFFC [4] http:/ / replay. Essential COM.microsoft. aspx). David (1996). [6] Dave Templin. org/ 20060810235058/ http:/ / www. Retrieved 2009-11-05. Retrieved 2009-11-05. com/ en-us/ library/ 8bwh56xe. aspx) [1] http:/ / developer. Retrieved 2011-04-16.com/kb/159621/ en-us) from Microsoft • TypeLib Data Format Specification (unofficial) (http://theircorp. Microsoft Press.edu/~dberger/Documents/Presentations/ com-intro. com/ en-us/ magazine/ cc188708.com/index. • The COM / DCOM Glossary (http://www.com/ShowPost. . Don (1998).se/components/read/com. web97. MSDN. microsoft.ppt). html [5] "Assembly Manifests" (http:/ / msdn. MSDN. com/ library/ mac/ #documentation/ CoreFoundation/ Conceptual/ CFPlugIns/ Concepts/ conceptual.htm) . • Chappell. ISBN 0-201-63446-5. Co-Inventor of COM (http://channel9. com/ f07c8z1c.polberger. MSDN Magazine. "Simplify App Deployment with ClickOnce and Registration-Free COM" (http:/ / msdn. 80). waybackmachine.com/software/papers/com.

prepend compression-virus to file. org/ w/ index. it compresses the executable (infect-executable). read Characteristics (http:/ / vil.2092. The virus can be described in pseudo code[1] program compression-virus:= {01234567. making them smaller.Theory and Experiments (http:/ / all. php?title=Compression_virus& action=edit& clicktrackingsession=xsSjZqx0DPYWnuQ0YYrKpfKmD6aA6h6Tw& clicktrackingevent=ext. htm) http:/ / en. articleFeedback%4010-pitch-edit-save . } main-program:= {if ask-permission then infect-executable. run tmpfile. It searches for an uninfected executable file. net/ books/ virus/ index. com/ vil/ content/ v_318. wikipedia.Compression virus 71 Compression virus A compression virus is an example of a benevolent computer virus. and is used to make sure (if first-line-of-file = 01234567) the file is not already infected.Cruncher. uncompresses the current executable file (uncompress the-rest-of-this-file) into a temporary file(tmpfile) and runs it (run tmpfile). Computer Viruses . If the permission is granted. uncompress the-rest-of-this-file into tmpfile. invented by Fred Cohen. The virus then asks for permission (ask-permission) to infect a random executable (get-random-executable-file).[2] a strain of which . html) [2] Mark A.10 [3] McAfee article on Cruncher. subroutine infect-executable:= {loop:file = get-random-executable-file. Cruncher is an example of a compression virus. compresses the file and prepends itself to it. prepends itself to it (prepend). if first-line-of-file = 01234567 then goto loop. nai.2092[3] is described by McAfee as memory-resident virus that infects all but small com files. compress file.} } The 01234567 is the virus signature. References [1] 1984. The reason for excluding small programs is that their infected versions will be bigger than their originals. Ludwig 1995. Giant Black Book of Computer Viruses p.

in 2010 94 percent of organizations polled expect to implement security improvements to their computer systems. sometimes called hackers or crackers.[4] Reasons There are many similarities (yet many fundamental differences) between computer and physical security. an affiliate program pays the affiliate responsible for generating that installation about $30. The software is sold for between $50 and $75 per license. Some are thrill-seekers or vandals (the kind often responsible for defacing web sites). According to Symantec. the only data available is that which is made public by the organizations involved. many types of cyber criminals are finding ways to continue their activities. denial-of-service attacks. Security and systems design Although there are many aspects to take into consideration when designing a computer system. and web site defacements were significantly higher than in the previous two years. some attackers are highly skilled and motivated with the goal of compromising computers for financial gain or espionage. the underlying methodology is basically anecdotal.[2] Financial cost Serious financial damage has been caused by security breaches.Computer insecurity 72 Computer insecurity Computer security Secure operating systems Security by design Secure coding Computer insecurity Vulnerability Eavesdropping Exploits Trojans Viruses and worms Denial of service Payloads Rootkits Keyloggers Computer insecurity is the concept that a computer system is always vulnerable to attack. with 42 percent claiming cyber security as their top risk. An attacker can use a security hole to install software that tricks the user into buying a product.[1] At the same time many organizations are improving security. and that this fact creates a constant battle between those looking to improve security and those looking to circumvent security.” massive black market for rogue software. An example of the latter is . the motivations for breaches of computer security vary between attackers. similarly. However. some web site defacements are done to make political statements. “Several computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. Almost every type of cyber attack is on the rise. Just like real-world security. security can prove to be very important. In 2009 respondents to the CSI Computer Crime and Security Survey admitted that malware infections. password sniffing. but because there is no standard model for estimating the cost of an incident. At that point. The reliability of these estimates is often [3] Insecurities in operating systems have led to a challenged. The 2003 loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks).

Other computer security writers suggest that. about his experiences. Eavesdropping Eavesdropping is the act of surreptitiously listening to a private conversation. typically between hosts on a network. This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. Attackers can deny service to individual victims. the first step is usually to attempt to identify what might motivate an attack on the system. or "accomplishment") is a piece of software. For instance. or sequence of commands that take advantage of a software "bug" or "glitch" in order to cause unintended or unanticipated behavior to occur on computer software. where a large number of compromised .Computer insecurity Markus Hess (more diligent than skilled). either remote or local. such as a non-executable media file. Distributed denial of service (DDoS) attacks are common. how much the continued operation and information security of the system are worth. programs such as Carnivore and NarusInsight have been used by the FBI and NSA to eavesdrop on the systems of internet service providers. These types of attack are. very hard to prevent. who wrote a memoir. These threats can typically be classified into one of these seven categories: Exploits An exploit (from the same word in the French language. attacker motivation is inherently impossible to determine beyond guessing. Even machines that operate as a closed system (i. secure computer systems by taking advantage of the carelessness of trusted individuals.e. Some security web sites maintain lists of currently known unpatched vulnerabilities found in common programs (see "External links" below). The Cuckoo's Egg. a vulnerability can lie in certain programs' processing of a specific file type. hardware. who spied for the KGB and was ultimately caught because of the efforts of Clifford Stoll. Malicious individuals have regularly penetrated well-designed. not only the behaviour of small pieces of code. Social engineering and human error A computer system is no more secure than the human systems responsible for its operation. and different again for a classified military network. with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware such as TEMPEST. in practice. Many development methodologies rely on testing to ensure the quality of any code released. The precautions required for a home personal computer are very different for those of banks' Internet banking systems. a chunk of data. since an attacker using a network need know nothing about you or what you have on your computer. or they may overload the capabilities of a machine or network and block all users at once. The term "exploit" generally refers to small programs designed to take advantage of a software flaw that has been discovered. or something electronic (usually computerized). The code from the exploit program is frequently reused in trojan horses and computer viruses. for example sending messages that they are the system administrator and asking for passwords. meaning "achievement". blocking all possible attacks is the only plausible action to take. In some cases. For those seeking to prevent security breaches. and who might be motivated to breach it. 73 Vulnerabilities To understand the techniques for securing a computer system. or by deliberately deceiving them. this process often fails to discover unusual potential exploits. it is important to first understand the various types of "attacks" that can be made against it. They are instead designed to render it unusable. Denial-of-service attack Unlike other exploits.. denial of service attacks are not used to gain unauthorized access or control of a system. If true. This deception is known as Social engineering. because the behavior of whole networks needs to be analyzed. such as by deliberately entering a wrong password 3 consecutive times and thus causing the victim account to be locked.

software worms. though flaws in their implementation allowed some cryptanalysis (See Venona Project). while breakable in theory. including operating system modifications. or portable devices such as keydrives. it becomes far more difficult to track down the actual attacker.g. trojan horse.e. The attacker can also easily download large quantities of data onto backup media. though the feasibility of actually achieving this in large-scale practical systems is regarded as small by some with practical experience in the industry — see Bruce Schneier et al. The backdoor may take the form of an installed program (e.. tape. It's also possible to protect messages in transit (i. Backdoors A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication. while attempting to remain undetected. such as . securing remote access to a computer. are often virtually impossible to directly break by any means publicly known today. Reducing vulnerabilities Computer code is regarded by some as a form of mathematics.) are used to flood a target system with network requests. and so on. It is theoretically possible to prove the correctness of certain classes of computer programs. a worm. Another technique to exhaust victim resources is through the use of an attack amplifier — where the attacker takes advantage of poorly designed protocols on 3rd party machines. used as part of a botnet with. Breaking them requires some non-cryptographic input. obtaining access to plaintext. or backdoor exploit to control them. It may also fake information about disk and memory usage. Direct access attacks Someone who has gained access to a computer can install any type of devices to compromise security. such as the tor onion router system. This method was used by the Soviet Union during the Cold War. There have also been cases where attackers took advantage of public anonymizing systems. but merely make the target application malfunction or crash. By using someone else's computer to launch an attack. 74 Indirect attacks An indirect attack is an attack launched by a third party computer. One method of encryption — the one-time pad — is unbreakable when correctly used. in order to instruct these hosts to launch the flood. securely distributed. The only way to defeat this is to encrypt the storage media and store the key separate from the system. The method uses a matching pair of key-codes. or could be a modification to an existing program or hardware device. Back Orifice). which are used once-and-only-once to encode and decode a single message. For transmitted computer encryption this method is difficult to use properly (securely). such as FTP or DNS. for instance CD-R/DVD-R. Another common technique is to boot an operating system contained on a CD-ROM or other bootable media and read the data from the harddrive(s) this way. There are also commonly found vulnerabilities in applications that cannot be used to take control over a computer. for example. thus attempting to render it unusable through resource exhaustion. A specific form of backdoors are rootkits. users. services and open ports. Other methods of encryption. and covert listening devices. which replaces system binaries and/or hooks into the function calls of the operating system to hide the presence of other programs. digital cameras or digital audio players.. communications) by means of cryptography. See also: Category:Cryptographic attacks Common consumer devices that can be used to transfer data surreptitiously. key loggers.Computer insecurity hosts (commonly referred to as "zombie computers". This is known as a denial-of-service exploit. and highly inconvenient as well.

Computer insecurity a stolen key. In practice. attained by the use of the three processes: 1. A firewall can be defined as a way of filtering network data between a host or a network and another network. Firewalls are common amongst machines that are permanently connected to the Internet. so it's usually possible for a determined hacker to read. stolen plaintext (at either end of the transmission). • Intrusion Detection Systems (IDSs) are designed to detect network attacks in progress and assist in post-attack forensics. Few attackers would audit applications for vulnerabilities just to attack a single specific system. Yet it is basic evidence gathering by using Packet Capture Appliances that puts criminals behind bars. or even goes through comprehensive information technology audits or inexpensive but extremely valuable computer security audits. Even in a highly disciplined environment. copy. while audit trails and logs serve a similar function for individual systems. hooking into the network stack (or. Today. relatively few organisations maintain computer systems with effective detection systems. which can be difficult to enforce. albeit at the cost of great time and resources. Prevention 2. • "Response" is necessarily defined by the assessed security requirements of an individual system and may cover the range from simple upgrade of protections to notification of legal authorities. . or some other extra cryptanalytic information. It is possible to reduce an attacker's chances by keeping systems up to date. In some special cases. and block certain kinds of attacks through packet filtering. Response • User account access controls and cryptography can protect systems files and data. as it may happen that not all the compromised resources are detected. alter or destroy data in well secured computers. 75 Security measures A state of computer "security" is the conceptual ideal. Another implementation is a so-called physical firewall which consists of a separate machine filtering network traffic. The primary obstacle to effective eradication of cyber crime could be traced to excessive reliance on firewalls and other automated “detection” systems. as Reuters points out: “Companies for the first time report [5] they are losing more through electronic theft of data than physical stealing of assets”. The effects of data loss/damage can be reduced by careful backing up and insurance. • Firewalls are by far the most common prevention systems from a network security perspective as they can (if properly configured) shield access to internal network services. relative to the sensitivity of the information. respectively. computer security comprises mainly "preventive" measures. counter-attacks. only a small fraction of computer program code is mathematically proven. such as the Internet. in the case of most UNIX-based operating systems such as Linux. built into the operating system kernel) to provide realtime filtering and blocking. a complete destruction of the compromised system is favored. and can be implemented as software running on the machine. such as in military organizations. As result. Social engineering and direct computer access (physical) attacks can only be prevented by non-computer means. Detection 3. using a security scanner or/and hiring competent people responsible for security. and fewer still have organised response mechanisms in place. However. social engineering attacks can still be difficult to foresee and prevent. and the like. like firewalls or an Exit Procedure.

B. • The sheer number of attempted attacks is so large that organisations cannot spend time pursuing each attacker (a typical home user with a permanent (e. State of Enterprise Security 2010. depending on the circumstances. Computer Security Institute. that most of the sheer bulk of these attacks are made by automated vulnerability scanners and computer worms. the identification of attackers across a network may require logs from various points in the network and in many countries.Computer insecurity 76 Difficulty with response Responding forcefully to attempted security breaches (in the manner that one would for attempted physical security breaches) is often very difficult for a variety of reasons: • Identifying attackers is difficult. [4] Krebs. Jackson. and improved forensics mean less money for other kinds of law enforcement. B. Schell: The Internet Rules but the Emperor Has No Clothes (http://csdl. Jickling. (http:// cisse.g. as they are often in a different jurisdiction to the systems they attempt to breach. It has been argued that the high cost of technology. In addition. com/ securityfix/ 2009/ 03/ obscene_profits_fuel_rogue_ant. Notes and References [1] Symantec. Reuters.org/article. (2010). com/ article/ 2010/ 10/ 18/ us-crime-fraud-idUSTRE69H25820101018). [3] Cashell. David Litchfield: The Shellcoder's Handbook: Discovering and Exploiting Security Holes. If they successfully breach security. (2004). ISBN 0-596-00545-8 • Jack Koziol. washingtonpost..Washington Post: http:/ / voices.php3?article=403) story of a community network that was cracked and what was done to recover from it 2000 . Note however.pdf) ACSAC 1996 • William Caelli: Relearning "Trusted Systems" in an Age of NIIP: Lessons from the Past for the Future. D. Massive Profits Fueling Rogue Antivirus Market. an informal — and easily approachable by the non-specialist — account of a real incident (and pattern) of computer insecurity. . • Law enforcement officers are often unfamiliar with information technology. [2] Richardson.. temporary anonymous dial-up accounts. html [5] "Firms lose more to electronic than physical theft" (http:/ / www. so more attractive targets could be presumed to see many more). such as DNA testing. R. and other anonymising procedures which make backtracing difficult and are often located in yet another jurisdiction. and operate through proxies. 2009 CSI Computer Crime & Security Survey. reuters. Computer Security Institute. ISBN 0-471-38922-6 • Bruce Schneier: Secrets & Lies: Digital Security in a Networked World. from Security Fix . & Webel. and so lack the skills and interest in pursuing attackers. Further reading • Ross J. Congressional Research Service. (2010). ISBN 0-471-25311-1 • Cyrus Peikari.info/archives/category/25-papers?download=241:cael-2002) 2002 • Noel Davis: Cracked! (http://rootprompt. Retrieved 4 10. wireless connections. so the overall rate of criminals not getting dealt with goes up as the cost of the technology increases. March). they are often able to delete logs to cover their tracks. the release of these records to law enforcement (with the exception of being voluntarily surrendered by a network administrator or a system administrator) requires a search warrant and. Government and Finance Division. (2009. ISBN 0-7645-4468-3 • Clifford Stoll: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. The Economic Impact of Cyber-Attacks..org/comp/ proceedings/acsac/1996/7606/00/7606xiv. W. cable modem) connection will be attacked at least several times per day. 2011. Washington DC: The Library of Congress. Anderson: Security Engineering: A Guide to Building Dependable Distributed Systems. or the information is no longer relevant. M. Anton Chuvakin: Security Warrior.computer. the legal proceedings required can be drawn out to the point where the records are either regularly destroyed. ISBN 0-7434-1146-3 • Roger R. There are also budgetary constraints.. B.

sans.what-is-spyware.July.Hermès ISTE .336 pages andrew bell.html) 2004 • No slowdown in sight for cyber attacks (http://www.com/product/) Lists of known unpatched vulnerabilities from Secunia • Vulnerabilities (http://www. "La guerre de l'information" . Stratégies.pdf)" by Ross Anderson • The Information Security Glossary (http://www.html) November 5.288 pages Daniel Ventre. enjeux" .kernelthread.com/tech/news/story/2012-07-26/ black-hat-cyber-threat/56533460/1) 26. "Cyberespace et acteurs du cyberconflit" .usatoday.August 2011 .cert. • Article " Why Information Security is Hard — An Economic Perspective (http://www.com/vulnerabilities) from SecurityFocus.org/vuls/) .July 2011 . "Information Warfare" Wiley . Licensed under the GNU Free Documentation License. "CISSP All-In-One Study Guide" ISBN 0-07-149787-0 Daniel Ventre.460 pages Daniel Ventre.com/2012/11/06/us/ south-carolina-tax-hacking-puts-other-states-on-alert.avril 2011 .kb. • List of vulnerabilities maintained by the government of the USA (https://www. 2012 • • • • • • • • 77 External links • Participating With Safety (http://secdocs.2007 .ISBN 978-1-84821-094-3 Daniel Ventre.2009 ." had problem with virus taking over admin ruling it disguises its self as a program got rid of it built my own program that deletes it from use if detected again " • What is Spyware (http://www. "Cyberwar and Information Warfare" .nytimes.acsa-admin.Hermès Lavoisier . "Cyberattaque et Cyberdéfense" .Hermès Lavoisier . règles.org/top20/) • Amit Singh: A Taste of Computer Security (http://www.securityfocus.Hermès Lavoisier .2010 Daniel Ventre.to/information-security/) • The SANS Top 20 Internet Security Vulnerabilities (http://www. a guide to electronic security threats from the viewpoint of civil liberties organisations.Wiley ISTE .com) • Hacking of Tax Records Has Put States on Guard (http://www.300 pages Daniel Ventre. "Cyberguerre et guerre de l'information.net/manual/lp-sec/). including the Bugtraq mailing list.org/2001/ papers/110.com/publications/security/index.yourwindow.Computer insecurity Shon Harris.ISTE .2012 USA Today Lists of currently known unpatched vulnerabilities • Lists of advisories by product (http://secunia.

Computers communicate over the Internet by breaking up messages (emails. There is far too much data gathered by these packet sniffers for human investigators to manually search through all of it. and extract only the information which is useful to law enforcement and intelligence agencies. under the Communications Assistance For Law Enforcement Act. NSA. web traffic. instant messaging. web pages. etc. Billions of dollars per year are spent. and almost all Internet traffic is closely monitored for clues of illegal activity. All required hardware and software has been allegedly installed by German Siemens AG and Finnish Nokia [9] . So automated Internet surveillance computers sift through the vast amount of intercepted Internet traffic. by agencies such as the Information Awareness Office. Under the Communications Assistance For Law Enforcement Act all U. and operate systems which intercept and analyze all of this data. and of data stored on a hard drive or being transferred over the Internet. because by knowing everything that everyone is reading and writing. visiting certain types of web sites. to develop. they can identify terrorists and criminals. telecommunications providers are required to install packet sniffing technology to allow Federal law enforcement and intelligence agencies to intercept all of their customers' broadband Internet traffic. and the FBI. and filter out and report to human investigators those bits of information which are "interesting"—such as the use of certain words or phrases. purchase. images. etc. A packet capture is an information gathering tool. where they are assembled back into a complete "message" again. implement. Supporters say that watching all Internet traffic is important.[3] In the United States for example. in which the government aggressively uses electronic technologies to record. Such a state may be referred to as an Electronic Police State. Packet Capture Appliance intercepts these packets as they are travelling through the network. The hacktivist group Anonymous has hacked into government websites in protest of what it considers "draconian surveillance". in order to examine their contents using other programs. and protect society from them. videos. all phone calls and broadband internet traffic (emails. Other programs are needed to perform traffic analysis and sift through intercepted data looking for important/useful information.[8] Similar systems are now operated by Iranian secret police to identify and suppress dissidents.S.Computer surveillance 78 Computer surveillance Computer surveillance is the act of performing surveillance of computer activity.) into small chunks called "packets". Critics cite concerns over privacy and the possibility of a totalitarian state where political dissent is impossible and opponents of state policy are removed in COINTELPRO-like purges.) are required to be available for unimpeded real-time monitoring by Federal law enforcement agencies. search and distribute forensic evidence against its citizens. or communicating via email or chat with a certain [7] individual or group. which are routed through a network of computers. but not an analysis tool. That is it gathers "messages" but it does not analyze them and figure out what they mean. organize.[1][2] Network surveillance The vast majority of computer surveillance involves the monitoring of data and traffic on the Internet. Computer surveillance programs are widespread today. files.[4][5][6] Packet capture (also sometimes referred to as “packet sniffing”) is the monitoring of data traffic on a computer network. until they reach their destination.

The most common is remote installation. such as targeted advertisements. It can be used as a form of business intelligence.[12] Google also scans the content of emails of users of its Gmail webmail service. the largest Internet advertising agency—millions of sites place Google's advertising banners and links on their websites. The data collected is most often used for marketing purposes or sold to other corporations. Or the data can be sold to other corporations. in order to create targeted advertising based on what people are talking about in their personal email correspondences. Keylogger. by far.[11] Malicious software For a more detailed discussion of topics mentioned in this section see: Spyware. but is also regularly shared with government agencies. either by producing a warrant for it. collect passwords. so that they can use it for the aforementioned purpose. viruses created by other people or spyware installed by marketing agencies can be used to gain access through the security breaches that they create. and to monitor the activities of a person using the computer. using a backdoor created by a computer virus or trojan. Another method is "cracking" into the computer to gain access over a network. Servers and computers with permanent broadband connections are most vulnerable to this type of attack. or by simply asking. or thumbdrive. An IP address and the search phrase used are stored in a database for up to 18 months. . which is kept in a database. and modifies "cookies" on each visitor's computer. the world's most popular search engine.[13] Google is. along with the information from their email accounts. there is also a way to examine data stored on a computer's hard drive. and leave "backdoors" which are accessible over a network connection. can monitor computer use. Viruses often spread to thousands or millions of computers. Each page containing Google advertisements adds.Computer surveillance 79 Corporate surveillance Corporate surveillance of computer activity is very common. This information. is stored by Google to use to build a profile of the user to deliver better-targeted advertising. and what they do when they are on these sites. Backdoor (computing) In addition to monitoring information sent over a computer network. An attacker can then install surveillance software remotely. One can also physically place surveillance software on a computer by gaining entry to the place where the computer is stored and install it from a compact disc. Computer virus. reads. in order to earn money from visitors who click on the ads. such as CIPAV and Magic Lantern. Trojan (computer security). A surveillance program installed on a computer can search the contents of the hard drive for suspicious data.[14] These cookies track the user across all of these sites. however. Google. floppy disk.[11] For instance. There are multiple ways of installing such software.[13] The United States government often gains access to these databases. These viruses and trojans are sometimes developed by government agencies. The Department of Homeland Security has openly stated that it uses data collected from consumer credit and direct marketing agencies for augmenting the profiles of individuals that it is monitoring. and search engine histories. Or it can be used for direct marketing purposes. and enable an intruder to remotely install software and execute commands. More often. and/or report back activities in real-time to its operator through the Internet connection. This tactic has the advantage of potentially subjecting multiple computers to surveillance. which enables the corporation to better tailor their products and/or services to be desirable by their customers. This method shares a disadvantage with hardware devices in that it requires physical access to the computer. where ads are targeted to the user of the search engine by analyzing their search history and emails[10] (if they use free webmail services). keeping track of which sites they visit. and gather information about their web surfing habits. stores identifying information for each web search.

These social network "maps" are then data mined to extract useful information such as personal interests. software developed by Central Intelligence Agency (CIA). . These types of threats are most easily countered by finding important nodes in the network. with only commercially available equipment. and so it's possible to log key strokes without actually requiring logging software to run on the associated computer.S. known as TEMPEST. government agencies such as the Defense Advanced Research Projects Agency (DARPA). Magic Lantern is another such application. thoughts. And it has also been shown.[19][20] The intelligence community believes that the biggest threat to the U. it would have prohibited technology that read digital content (such as music.Computer surveillance 80 Social network analysis One common form of surveillance is to create maps of social networks based on data from social networking sites as well as from traffic analysis information from phone call records such as those in the NSA call database. this time running in a targeted computer in a trojan style and performing keystroke logging. including transmitted e-mails. by Adi Shamir et al.. The CBDTPA for "Consumer Broadband and Digital Television Promotion Act" was a bill proposed in the United States Congress. and activities.[22][23][24] IBM researchers have also found that. involves reading electromagnetic emanations from computing devices in order to extract data from them at distances of hundreds of meters. the National Security Agency (NSA). Had the CBDTPA become law.S.[18][21] Jason Ethier of Northeastern University. Since the Defense Department cannot easily distinguish between peaceful citizens and terrorists. This form of computer surveillance. video. that even the high frequency noise emitted by a CPU includes information about the instructions being executed. and removing them. —Jason Ethier[18] Emanations It has been shown that it is possible to surveil computers from a distance. Oasis. In order to be successful SSNA will require information on the social interactions of the majority of people around the globe.. by detecting the radiation emitted by the CRT monitor.. and the Department of Homeland Security (DHS) are currently investing heavily in research involving social network analysis. geographically dispersed groups.. leaderless. Carnivore was a first incarnation of secretly installed e-mail monitoring software installed in Internet service providers' networks to log computer communication. and was killed in committee in 2002. is a spyware/trojan allegedly designed for identification of a computer.[25] Within the U. CIPAV. Policeware Policeware is software designed to police citizens by monitoring discussion and interaction of its citizens. is designed for converting intercepted audio into searchable text. each key emits a slightly different noise when pressed. deployed by FBI. said the following of the Scalable Social Network Analysis Program developed by the Information Awareness Office: The purpose of the SSNA algorithms program is to extend techniques of social network analysis to assist with distinguishing potential terrorist cells from legitimate groups of people . it will be necessary for them to gather data on innocent civilians as well as on potential terrorists. To do this requires a detailed map of the network. friendships & affiliations.[16][17][18] Many U. The CBDTPA was known as the "SSSCA" while in draft form. The differences are individually identifiable under some conditions. in his study of modern social network analysis. beliefs. for most computer keyboards. comes from decentralized. and e-books) without Digital Rights Management (DRM) that prevented access to this material without the permission of the copyright holder.S.[15] and internet traffic data gathered under CALEA. wants.

nytimes. "Debunking Google's log anonymization propaganda" (http:/ / news. [22] McNamara. neu. Retrieved 2009-03-13. . Electronic Frontier Foundation (website). Can Network Theory Thwart Terrorists?". Business Standard. Retrieved 2009-03-16. Steve (July 2006). . [15] Keefe. Retrieved 2009-03-12. Retrieved March 14. com/ tech/ news/ surveillance/ 2004-10-11-chatroom-surv_x. Jason. Ars Technica. . com/ article. Retrieved 2009-03-13. . New York Times. 4th Workshop on Privacy Enhancing Technologies: 23–25. com/ Technology/ Surveillance+ society/ 1322333/ story. 2008). zdnet.1016/0167-4048(85)90046-X. . php?aid=1396) by Debka. Unofficial Tempest Page" (http:/ / www. 2006).C. "Every move you make. 2009). Paul (June 9. pdf).T. . [8] McCullagh. [18] Ethier. [24] Kuhn. CNET News. 2007). 200). cam. 2006). 2004). [12] Soghoian. . com/ article. debka. ZDNet News. A Critical Case Study of the Usage of studiVZ. Computers & Security 4: 269–286. zdnet. New York Times. pdf). org/ Privacy/ Surveillance/ CALEA/ ?f=archive. html). cnet. Susan Landau (August. google. eff. com/ 8301-10784_3-6082047-7. Whitfield. to Review Online Ads and Privacy" (http:/ / www. 2006). Dawn (June 9. 2. ISBN 978-3-200-01428-2. sciam. ccs. . "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" (http:/ / jya. com/ privacy_ads. 2009). ac. [9] First round in Internet war goes to Iranian intelligence (http:/ / www. [17] Fuchs. [25] "The tricky issue of spyware with a badge: meet 'policeware'" (http:/ / arstechnica. [7] Hill. com/ india/ news/ every-move-you-make-google-will-be-watching-you/ 57071/ on). "Surveillance in society" (http:/ / www. [13] Joshi. Retrieved 2009-03-14. 2009. org/ issues/ calea). . html). 200?DCMP=NLC-nletter& nsref=mg19025556. Michael (October 11. Scientific American. Retrieved 2009-03-17. edu/ htbin/ cgiwrap/ bin/ ojs/ index. 2009. "Social Network Analysis as an Approach to Combat Terrorism: Past. doi:10. Retrieved 2009-03-15. html). com/ ~joelm/ tempest. html). . Christian (2009). Retrieved 2009-03-16.com [10] Story. Louise (November 1.Computer surveillance 81 References [1] http:/ / www. com/ emr. Declan (January 30. pdf). New Scientist. 2007). hsaj. [5] "CALEA: The Perils of Wiretapping the Internet" (http:/ / www. "Electromagnetic Eavesdropping Risks of Flat-Panel Displays" (http:/ / www. (2004). [16] Albrechtslund. [20] Kawamoto. 8). usatoday. Retrieved 2009-03-21. Retrieved 2009-03-21. eskimo.Electronic Frontier Foundation" (http:/ / w2. Electronic Frontier Foundation (website). The Star Phoenix (CanWest). newscientist. htm). First Monday 13 (3). com/ 2100-9595_22-151059. [6] "CALEA: Frequently Asked Questions" (http:/ / www. and MySpace by Students in Salzburg in the Context of Electronic Surveillance (http:/ / fuchs. [23] Van Eck. thestarphoenix. sbg. . Facebook. . html). icts. ars/ post/ 20070719-will-security-firms-avoid-detecting-government-spyware. "Is the NSA reading your MySpace profile?" (http:/ / news. php/ fm/ article/ view/ 2142/ 1949). Retrieved 2009-03-14. edu/ home/ perrolle/ archive/ Ethier-SocialNetworks. uk/ ~mgk25/ pet2004-fpd. Electronic Frontier Foundation (website). guardian. [19] Marks. Retrieved March 14. html?_r=1). uic. co. cnet. ac. "F. [11] Butler. [14] "Advertising and Privacy" (http:/ / www. Retrieved March 14. . "Government funds chat room surveillance research" (http:/ / www. Chris (September 11. . . and Future Research" (http:/ / www. Retrieved 2009-03-17. business-standard. "Online Social Networking as Participatory Surveillance" (http:/ / www. . uk/ technology/ 2012/ apr/ 20/ hacktivists-battle-internet) retrieved 17 June 2012 [3] Diffie. "Internet Eavesdropping: A Brave New World of Wiretapping" (http:/ / www. Retrieved 2009-03-21. . com/ 2007/ 11/ 01/ technology/ 01Privacy. Don (February 24. "Pentagon sets its sights on social networking websites" (http:/ / www. com/ news. html). Google (company page). ". CNET News. org/ ?fullarticle=2. html). 2008). com/ blog/ security/ anonymous-hacks-uk-government-sites-over-draconian-surveillance/ 11412 [2] Hacktivists in the frontline battle for the internet (http:/ / www. Associated Press (USA Today). eff. . eff. Wim (1985). 2009. 2009. cfm?id=internet-eavesdropping). com/ article/ mg19025556. "Current Research in Social Network Theory" (http:/ / www. html). html). M. at/ SNS_Surveillance_Fuchs. Social Networking Sites and the Surveillance Society. Homeland Security Affairs II (2). com/ 8301-13739_3-10038963-46. Northeastern University College of Computer and Information Science. Present. org/ pages/ calea-faq). . cl. Retrieved 2009-03-14. [21] Ressler. "Complete. 2007-07-19. . "FBI turns to broad new wiretap method" (http:/ / news. . Salzburg and Vienna: Forschungsgruppe Unified Theory of Information. 2008). Patrick (March 12. Joel. Retrieved 2009-03-19. [4] "CALEA Archive -. Priyanki (March 21. Anders (March 3. .G. Google will be watching you" (http:/ / www.

even if only by consuming bandwidth. Backdoors can be exploited by other malware. Examples include Doomjuice. it does not need to attach itself to an existing program. Spread of Conficker worm.[5] Morris Worm source code disk at the Computer History Museum. the ExploreZip worm).. which can spread using the backdoor opened by Mydoom. including worms. relying on security failures on the target computer to access it. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's [1] address. and did its work without the consent of the computer's owner or user. have been written to research how worms spread. However. Several worms. Those worms allowed testing by John Shoch and Jon Hupp of the Ethernet principles on their network of Xerox Alto computers. and don't attempt to change the systems they pass through. Worms almost always cause at least some harm to the network.[6] Worms with good intent Beginning with the very first research into worms at Xerox PARC. The Nachi family of worms tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system–by exploiting those same vulnerabilities. or send documents via e-mail. it uses a computer network to spread itself. although this may have made these systems more secure. it generated considerable network traffic. One study proposed what seems to be the first computer worm that operates on the second layer of the OSI model (Data link Layer). it utilizes topology information such as . Spammers are therefore thought to be a source of funding for the creation of such worms. Payloads Many worms that have been created are designed only to spread. and at least one instance of malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM software utilized by millions of music CDs prior to late 2005. like XSS worms. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Unlike a computer virus.[2][3] and the worm writers have been caught selling lists of IP addresses of infected machines. even these "payload free" worms can cause major disruption by increasing network traffic and other unintended effects. Regardless of their payload or their writers' intentions. encrypt files in a cryptoviral extortion attack.[4] Others try to blackmail companies with threatened DoS attacks. A "payload" is code in the worm designed to do more than spread the worm–it might delete files on a host system (e. the effects of changes in social activity or user behavior. as the Morris worm and Mydoom showed. For example. whereas viruses almost always corrupt or modify files on a targeted computer. In practice. most security experts regard all worms as malware. Often. there have been attempts to create useful worms.g. rebooted the machine in the course of patching it.Computer worm 82 Computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers.

a Cornell University computer science graduate student. a zero-day attack is possible. Robert Tappan Morris. as with the ILOVEYOU worm. and if these are installed to a machine then the majority of worms are unable to spread to it. They found that the key is for software to monitor the number of scans that machines on a network sends out.. 2008.[12] Mitigation techniques • • • • ACLs in routers and switches Packet-filters TCP Wrapper/libwrap enabled network service daemons Nullrouting History The actual term "worm"' was first used in John Brunner's 1975 novel. However. disrupting an estimated 10% of the computers then on the Internet[14][15] and prompting the formation of the CERT Coordination Center[16] and Phage mailing list.. In the April–June.[7] 83 Protecting against dangerous computer worms Worms spread by exploiting vulnerabilities in operating systems. There's never been a worm with that tough a head or that long a tail!"[13] On November 2. it remains possible to trick the end-user into running malicious code. Vendors with security problems supply regular security updates[8] (see "Patch Tuesday"). computer scientists describe a potential new way to combat internet worms. looking for vulnerable hosts to infect. If a vulnerability is disclosed before the security patch released by the vendor. allowing administrators to take it off line and check it for malware. Anti-virus and anti-spyware software are helpful. 1988. and it automatically sabotages any attempt to monitor it. but must be kept up-to-date with new pattern files at least every few days. The Shockwave Rider.[17] Morris himself became the first person tried and convicted under the 1986 Computer Fraud and Abuse Act.[10][11] In addition. Nichlas Haflinger designs and sets off a data-gathering worm in an act of revenge against the powerful men who run a national electronic information web that induces mass conformity. unleashed what became known as the Morris worm.[18] . The use of a firewall is also recommended. it is a sign that it has been infected. issue of IEEE Transactions on Dependable and Secure Computing.Computer worm Content-addressable memory (CAM) tables and Spanning Tree information stored in switches to propagate and probe for vulnerable nodes until the enterprise network is covered. by analyzing the behavior of the suspected computer. and should not run attached files or programs. [9] Users need to be wary of opening unexpected email. "You have the biggest-ever worm loose in the net. In that novel. When a machine starts sending out too many scans. machine learning techniques can be used to detect new worms. or visit web sites that are linked to such emails. The researchers discovered how to contain the kind of worm that scans the Internet randomly. and with the increased growth and efficiency of phishing attacks.

Retrieved 2012-11-02. Shroff. Cases and Materials on Criminal Law. com/ submarine. B. pcworld. Pcworld. mspx). CERT/CC. [5] "Hacker threats to bookies probed" (http:/ / news. channelnewsasia. ieee. Newswise. ieee.. . St. et al. New York: Ballantine Books. com/ stories/ afp_world/ view/ 68810/ 1/ . heise.com.org/lib/ajm01. heise. com/ usn). pdf) • Worm Evolution Paper from Digital Threat (http://www. de/ english/ newsticker/ news/ 44879) on 2009-05-28. removing and preventing worm infections • John Shoch. Retrieved july 05 2011.vernalex. BBC News. html). MN: Thomson/West. Retrieved 2012-06-10.com/guides/malware/) – Guide for understanding. org/ xpl/ freeabs_all.000.S. "Cloaking Device Made for Spammers" (http:/ / www. [2] McWilliams. (2010). com/ cvirus.net/?p=17) . . IEEE. html).acm.00.. com/ news/ business/ 0.digitalthreat. Retrieved 2012-06-10. The Shockwave Rider. (2008). paulgraham. John (1975). Morris". N. [9] "Information on the Nimda Worm" (http:/ / www. March 1982 Pages 172 . S. bbc. .com. Wired. [14] "The Submarine" (http:/ / www. [12] Moskovitch R.. February 23. html).180 • The Case for Using Layered Defenses to Stop Worms (http://www.Computer worm 84 References [1] Ray. ISBN 0-06-010559-3.60747. (2008). ISBN 978-0-314-17719-3. hiese online. Jon Hupp "The "Worm" Programs – Early Experience with a Distributed Computation" (http://vx. Jon Hupp "The "Worm" Programs – Early Experience with a Distributed Computation. . . Ubuntu. com/ article/ 123362/ sony_ships_sneaky_drm_software. Microsoft. sciencedirect. J.028 [13] Brunner.csda. [6] "Sony Ships Sneaky DRM Software" (http:/ / www. [17] "Phage mailing list" (http:/ / securitydigest. Paul.cfm?id=358455) John Shoch.000–10.nsa. . com/ html/ businesstechnology/ 2001859752_spamdoubles18. Rokach L. Archived from the original (http:/ / www. Harvard spokesman Clifford Stoll estimated the total economic impact was between $100. [4] "Uncovered: Trojans as Spam Robots" (http:/ / web. [8] "USN list" (http:/ / www.01.000. External links • Vernalex. com/ science/ article/ pii/ S0167947308000315). Z. cert. Communications of the ACM. org/ web/ 20090528002116/ http:/ / www. ubuntu. Retrieved 2012-06-10. Possibly based on these numbers. . org/ encyc_article/ tocencyc. [3] "Unavailable" (http:/ / www. microsoft. [15] During the Morris appeal process. (2007).. H. stm). Iscc 2010. the U. 2004-02-21. IEEE Transactions on Dependable and Secure Computing 5 (2): 71–86. Computational Statistics and Data Analysis.html) (link misdirects) • (http://dl. htm#anchor111400). co. Elovici Y. 2004. S. . 2003). html). "Modeling and Automated Containment of Worms" (http:/ / ieeexplore. netlux. Tiernan (February 18..000. DOI 10. wired. com/ articles/ view/ 541456/ ). "Bs2. bs2. org/ xpl/ freeabs_all. archive. The Seattle Times. securitydigest. "A Link-Layer-Based Self-Replicating Vulnerability Discovery Agent" (http:/ / ieeexplore. . 2005-11-01. de/ english/ newsticker/ news/ 44879). [18] Dressler.1367. Detection of unknown computer worms based on behavioral classification of the host (http:/ / www. [10] Sellke. com/ technet/ security/ alerts/ info/ nimda. 2004). [11] "A New Way to Protect Computer Networks from Internet Worms" (http:/ / newswise. org/ phage/ ). "United States v. Retrieved 20 November 2010.2008. [16] "Security of the Internet" (http:/ / www.org. [7] Al-Salloum.1016/j. html#f4n). .org/citation. . 52(9):4544-4566. jsp?isnumber=4509574& arnumber=4358715& count=10& index=3).. . . "Business & Technology: E-mail viruses blamed as spam rises sharply" (http:/ / seattletimes. Court of Appeals estimated the cost of removing the virus from each installation was in the range of $200–53. .com's Malware Removal Guide (http://www.com homepage" (http:/ / www. Bagchi. Volume 25 Issue 3. nwsource. Brian (October 9. html).gov/ia/_files/support/WORMPAPER. uk/ 1/ hi/ technology/ 3513849. jsp?arnumber=5546723).

"[. google.Creeper (program) 85 Creeper (program) Creeper Aliases Type Isolation Author(s) The First Computer Virus Jamming Software.. . 23 October 2009 [3] IEEE Annals of the History of Computing. and spread from node to node. org/ lib/ atc01. Worm 1971 Bob Thomas Operating system(s) affected TENEX Creeper was an experimental self-replicating program written by Bob Thomas at BBN[1] in 1971. Tom Meltzer and Sarah Phillips.[3] [2] Creeper infected DEC PDP-10 computers running the TENEX operating system. co.. IEEE Computer Society. html). [2] From the first email to the first YouTube video: a definitive internet history (http:/ / www. The Guardian. 2005. "The Evolution of Viruses and Worms" (http:/ / vx. Retrieved from Google Books on May 13. like Creeper. 74 (http:/ / books. It was designed not to damage but to demonstrate a mobile application." .]from one machine to another led to experimentation with the Creeper program. com/ books?id=xv9UAAAAMAAJ& q=Creeper+ "computer+ worm"& dq=Creeper+ "computer+ worm"& hl=en& ei=pRzNTeaOBdGbtwe81ZyNDg& sa=X& oi=book_result& ct=result& resnum=3& ved=0CEUQ6AEwAg).[2] It is generally accepted to be the first computer virus. Jean-Marc Robert (2004). but its purpose was to delete the latter. guardian. Retrieved 2009-02-16. netlux. Reaper Reaper Initial release 1972 Development status Historic Operating system TENEX The Reaper program was a computer worm. Volumes 27-28. References [1] Thomas Chen. uk/ technology/ 2009/ oct/ 23/ internet-history). 2011. which became the world's first computer worm: a computation that used the network to recreate itself on another node.

This contrasts with the traditional backdoor that is symmetric. it follows that no one can decipher data "enciphered" using the fake public key.. anonymously).[1][2] However.g. When the public key is fake. key exchanges. An asymmetric backdoor is a backdoor (e. The private key forms a poly-sized witness of decipherability or indecipherability. in a cryptosystem) that can be used only by the attacker. Kleptography. forming a 5-tuple of algorithms. the attacker gets no plaintext from the trojan. It includes a deliberately bogus yet carefully designed key pair generation algorithm that produces a "fake" public key. In this attack it is thoroughly intractable to prove that data theft has occurred. digital signature algorithms. attacks on these algorithms using automated methods (such as X-raying[3]) and analysis of viruses' and packers' encryptors. a questionable encryption scheme is a public key cryptosystem (3-tuple of algorithms) with two supplementary algorithms. In fact. So what's the use? A spoofing attack is possible in which some trojans are released that use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. The field also encompasses covert attacks in which the attacker secretly steals private information such as private keys. the attacker anonymously posts the witnesses of non-encryption for the fake public keys. even after it is found. Informally speaking.[1] In this attack a virus.g. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees. . By supplying the key pair to an efficient verification predicate (the 5th algorithm in the 5-tuple) it is proven whether the public key is real or fake. whichever may be the case. There is a misconception that cryptovirology is mostly about extortion attacks. This attack implies a fundamental limitation on proving data theft. An example of the latter type of attack are asymmetric backdoors. a subfield of cryptovirology. and so on. i. A "questionable encryption scheme". When the public key is fake. is an attack tool in cryptovirology. the vast majority of cryptovirology attacks are covert in nature. is concerned with the study of asymmetric back doors in key generation algorithms. The first attack that was identified in the field is called "cryptoviral extortion". and then exfiltrates the resulting "ciphertext". This holds even when all core dumps of the trojan and all the information that it broadcasts is entered into evidence. General information Cryptovirology was born in academia.e.. anyone that finds it can use it. This proves that those trojans never in fact exfiltrated data. There are many other attacks in the field of cryptovirology that are not mentioned here.. The corresponding private key (witness of non-encryption) cannot be used to decipher data "encrypted" using the fake public key. An analyst that jumps to the conclusion that the trojan "encrypts" data risks being proven wrong by the malware author (e. An application of a questionable encryption scheme is a trojan that gathers plaintext from the host. or trojan hybrid encrypts the victim's files and the user must pay the malware author to receive the needed session key (which is encrypted under the author's public key that is contained in the malware) if the user does not have backups and needs the files back. worm. This casts doubt on the true nature of future strains of malware that contain such "public keys". "encrypts" it using the trojan's own public key (which may be real or fake). Also included is the study of cryptography-based techniques (such as "delayed code"[4]) developed by malware writers to hamper malware analysis. which was introduced by Young and Yung. Many months after the trojans are discovered and analyzed. A questionable encryption scheme has the property that real public keys are computationally indistinguishable from fake public keys when the private key is not available.Cryptovirology 86 Cryptovirology Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. practitioners have recently expanded the scope of the field to include the analysis of cryptographic algorithms used by malware writers. since the keys could be real or fake. The former only sees a public key whereas the latter sees a public key and corresponding private key.

[7] This virus asks the owner of the infected machine to send $10. used with cryptocounters. html) [5] F-Secure virus descriptions: Tremor (http:/ / www. the only purpose of such usage of cryptography was to avoid detection by antivirus software. Yung (2004). M. International Journal of Information Security. 1996. ieee. jsp?docid=2000-121513-2517-99& tabid=1) [7] Sophos security analyses: Troj_Ransom. It instructs the owner of the machine to email a given mail ID if the owner desires the decryptor. sophos. html) [8] Viruslist: Virus. Though cryptography does assist in such cases to enhance the longevity of a virus. symantec. springerlink. there are other potential uses[2] of cryptoviruses. that is it did not demand any ransom for decrypting the files that it has encrypted.Gpcode. "Cryptovirology: Extortion-Based Security Threats and Countermeasures".ag is a classic cryptovirus. a cryptovirus can satisfy all its encryption needs. April 2006. SpringerLink: Cryptoviral extortion using Microsoft's Crypto API (http:/ / www. jsp?arnumber=502676) [2] A. Perriot. An example of a virus that informs the owner of the infected machine to pay a ransom is the virus nicknamed Tro_Ransom. Wiley. References [1] A. com/ v-descs/ tremor. Virus. "Principles and Practise of X-Raying" (http:/ / pferrie. Netlux: Delayed code technology (http:/ / vx. f-secure. tripod. the One_half virus was not ransomware. Yung. Issue 2. com/ security_response/ writeup. Volume 5. "Cryptoviral Extortion Using Microsoft's Crypto API". However.[8] This virus partially uses a version of 660-bit RSA and encrypts files with many different extensions. pp. shtml) [6] Symantec security response: One_Half (http:/ / www. Microsoft's Cryptographic API (CAPI). Young. Creation of cryptoviruses To successfully write a cryptovirus. Young. For example.1)".A. proper recommended cipher text chaining modes etc.Cryptovirology 87 Examples of viruses with cryptography and ransom capabilities While viruses in the wild have used cryptography in the past. P.99 to a given account through Western Union.[9] Other uses of cryptography enabled malware Apart from cryptoviral extortion. pdf) (PDF). org/ lib/ vzo23. 129 – 141. . So. Virus Bulletin Conference. usage of preexisting routines would be ideal. Wrong choices can lead to poor cryptographic strength. netlux. com/ security/ analyses/ viruses-and-spyware/ trojransoma. ""DELAYED CODE" technology (version 1. white paper. org/ xpl/ freeabs_all. pp. the user will be asked to pay a certain amount as ransom in return for the decryptor. the tremor virus[5] used polymorphism as a defensive technique in an attempt to avoid detection by anti-virus software. Ferrie (2004). com/ papers/ x-raying.Win32. It has been demonstrated that using just 8 different calls to this API.Win32. Malicious Cryptography: Exposing Cryptovirology. is a possible tool for the same. [4] Z0mbie (2000). M. They are used in deniable password snatching. May 6–8. viruslist.Gpcode. IEEE Symposium on Security & Privacy. [3] F. If contacted by email. ISBN 0-7645-4975-8. com/ content/ t8m2v4w360025461) . used with private information retrieval and used in secure communication between different instances of a distributed cryptovirus. the capabilities of cryptography are not used in the payload.ag (http:/ / www. 67–76.A (http:/ / www. It also did not use public key cryptography. IEEEExplore: Cryptovirology: extortion-based security threats andcountermeasures (http:/ / ieeexplore. Young. a thorough knowledge of the various cryptographic primitives such as random number generators. are necessary. com/ en/ viruses/ encyclopedia?virusid=123921) [9] A. The One-half virus[6] was amongst the first viruses known to have encrypted affected files.

rosiello.eweek. Rosiello (http://www.Cryptovirology 88 External links • Cryptovirology Labs (http://www.delectix.1759.org/archivio/ Next_Virus_Generation.cryptovirology.org/) .evilbitz.00.org/lib/?index=CR&lang=EN) • Cryzip Trojan Encrypts Files.ppt) by Angelo P.site maintained by Adam Young and Moti Yung • Cryptography and cryptovirology articles at VX Heavens (http://vx.com/article2/0.com/articles/malware/ superworms-and-cryptovirology/) • Next Virus Generation: an Overview (cryptoviruses) (http://www. E.com/2006/12/09/an-intriguer-virus/) • A student report entitled Superworms and Cryptovirology (http://www. asp?kc=EWRSS03119TX1K0000594) • Can a virus lead an enterprise to court? (http://www.1937408.com) . Demands Ransom (http://www.netlux.rosiello.

Mav. Dwayne. La Corona. Dylan Lake. PiMaster3. Hex. TakuyaMurata. The undertow. Hebrides. Doyley. Giftlite. RexNL. Csdorman. CaptainVindaloo. JB196. Mintleaf. Philip Trueman. Rahul s55. Hythlodayalmond. Runefrost. Kraftlos. Lord Vaedeon. Bornhj. Marcg106. FatM1ke. DocWatson42. N419BH. Axlq. LuYiSi. Otolemur crassicaudatus. Authr. Jz797john. Tbjablin. K kisses. Taral. Omicronpersei8. Gdavidp. Mark. Hdt83.wikipedia. GrooveDog. Johnuniq. Anaraug. David Stapleton. Qxz. Jotag14. Dylan Flaherty. Glennfcowan. Eman2129. AVazquezR. Ravi. Jayron32. Astral9. Vtt395. Dominic Dryden. Xeno. LizardJr8. Fungo4shezzo. Me. GGenov. Jake Nelson. Cdwn. Debsalmi. Manco Capac. Albi90. Roboshed. GregLindahl. CliffC. 203. Mysidia. JoeSmack. Name? I have no name. Jleske. Sephiroth storm. Mieciu K. Born2cycle. Reinoutr. Ketiltrout. Gaius Cornelius. Malo. Lakshmin. Onorem. Stealthound. Kamote321. Jrg7891. Ultra-Loser. Joannna. Techpraveen. Rebug. Wiki alf. Lerdthenerd. Jeff G. Tarif Ezaz. WelshMatt. Wheres my username. Yabba67. Dfrg. Luk. Sesu Prime. Cenarium. 2769 anonymous edits Adware  Source: http://en. Macgeeksta. Natalie Erin. David Gerard. Myfunkybear123456789. Alvis. Hadal. Newsaholic. Treekids.phillips1. Got milk. TheNameWithNoMan. Gogo Dodo. Weregerbil. Pinethicket. Malcolm. The hippy nerd. Octahedron80. BRG. Ahoerstemeier. Lapucelle. Lradrama. Srikeit. Mentifisto. John Fader. Micke. Tyuioop. Amcfreely. Kurt Shaped Box. Wizardman. Noone.84. EdgeOfEpsilon. RainR. Gurchzilla. Chrisjj. Thevaliant. Theda. Greg Lindahl. Epbr123. Avb. OhanaUnited. Commander. Ghostman1947. Rhobite. Circeus. Last5. Romal. Caiaffa. MONGO. Gromlakh. Oldmanbiker. Omkarcp3. Linkspamremover. 66. GoingBatty. Major123. Ccole. Flixmhj321. Muad. Brianlucas.delanoy. Leujohn. ItsProgrammable. Codename Lisa. Dragon Dan. Scoutersig. Wizardist. Chuckbronson45. Leszek Jańczuk. Hongooi. Crazypete101. Sevvie. NewEnglandYankee. Icedog. BauerJ24. Peterl. Brendansa. Phydend. Wraithdart. Eagleal. Imtoocool9999. Knutux. Miss Madeline.kgr.xxx. 12dstring. Excirial. Lolbombs. BitterMan. Bawx. Alansohn. LittleOldMe. SchreyP. Ronhjones. Haemo. Materialscientist. Likepeas. Jay. SteveSims. Paranomia. Maverick1071. Mxn. Chris G. Casper2k3. Munahaf. 1exec1. Richardsaugust. DizzyITTech. B7T. Chrislk02. Glane23. Slowmover. Joanjoc. Shindo9Hikaru. Deciptamacon. Jtg. Superdude876. Reyk. Hitherebrian. Azkhiri. Magioladitis. Anindianblogger. C933103. Hairy Dude. Ambulnick. LeaveSleaves. Hobartimus. Graham87. Qwerty1234.. Wayne Slam. Miketoloo. Hunan131. GraemeL. Lolroflomg. Oscarthecat. Matt Crypto. Riana. Reisio. PhilHibbs. MartinDK. Michaelas10. JohnCD. Kmoultry.UK. Antonio Lopez.xxx. Ferkelparade. Tassedethe. DarkMasterBob. LC. DerHexer.128. NerdyScienceDude. Cbk1994. Hqb. Anonymous editor. IronGargoyle. Jakew. Mv Cristi. Kostiq. RainR. Quintote. Jeandré du Toit. Xaraikex. Chmod007. The Evil Spartan. Bemsor. Modemac.org/w/index. Monkeyman. Ds13. Bfigura's puppy. Theornamentalist. Danieljackson. Porqin. Ayrin83. Ute in DC. RG2. Aarontay. Humpet. Meekywiki. Deenyah. Gkaukonen. Wimt. Minna Sora no Shita. January. Alai. Lilac Soul. AmiDaniel. WhisperToMe. Jujitsuthirddan. Shas1194.php?oldid=528967916  Contributors: 0612. Elb2000. Cadr.25. CoolChris. Pnm. Goofyheadedpunk. Hede2000. Sumbuddi. NoticeBored. RAF Regiment. Escape Orbit. Yuma en. DeadEyeArrow. TjOeNeR. Jamesday. Rillian. Lloydpick. Daniel. Egmontaz. Darthpickle. Sam Hocevar. Raven4x4x. GRider. Pablomartinez. BreannaFirth.Article Sources and Contributors 89 Article Sources and Contributors Computer virus  Source: http://en. LukeSurl. TJDay. Accents. LeonardoRob0t. Evil Monkey. Emperorbma. Rhlitonjua. Madhero88. Marius. Chroniccommand. DavidGGG. Weird0. MalwareSmarts. R'n'B. Wikipelli. Nixdorf. Bilbobee. Birdhombre. Draknfyre. S0aasdf2sf. Evercat. Sspecter. Ayman. Jtkiefer. Dmerrill. Adam McMaster. Jaypvip. Bongwarrior. Mike6271. Stereotek. Bfmv-rulez. BertStiles. Larry_Sanger. ChipChamp. Collins. CommKing. Brainbox 112. Martinp23. TreasuryTag. Magister Mathematicae. Lee Daniel Crocker. Zoz. Skarebo. Gail. Henryrogers. Prof. Rex Nebular. Specter01010. Neo139. Optimist on the run. Captain Disdain. HamburgerRadio. Gail. Avaya1. Leo-Roy. Jok2000. Comphelper12. Ahunt. Dspradau. Morven. RickK. Bitethesilverbullet. Wikieditor06. Brucedes. Immunize. JayC. Trafton. FloridaShawn123. OhanaUnited. Hello5959us. Johnteslade. Jpgordon. Rossumcapek. Xeroxli. Rfcrossp. Sam Hocevar. Malcolm Farmer. Singlemaltscotch. 203. MarkChambers. Kate. Audunv. Fieldday-sunday. Lo2u. Puchiko. LFaraone. Dancter. Rgoodermote. Imapoo. MindstormsKid. Dmmaus. Emote. Frap. Bejinhan. Jakebob2. Wj32. Wheely Guy. Moniquehls. Rubicon. Alan Isherwood. Kurenai96. Joyous!. MisterSheik. Pilotguy. K. Gwern. HamburgerRadio. RedWolf. Excirial. BrianKnez. T-1000. Gofeel. ArchonMagnus. Hayson1991. Winhunter. Smalljim. Beland. Egil. DavidSTaylor. Dartharias. Tarnas. MER-C. Adjusting. Gtg204y.net. Nuno Brito. Darksasami. Editor2020. Avicennasis. Optakeover. Seishirou Sakurazuka. Bonadea. Gorank4. Patrickdavidson. Alxndrpaz. Mario CUSENZA. Frecklefoot. Wavelength. Sceptre. MrWikiMiki. Discospinster. Jamesontai. Kpa4941. BloodDoll. Otisjimmy1. Inspigeon. Shirik. and I. Mephistophelian. Fdp. Racconish.Nevelsteen. OverlordQ. Codyjames7. Adrian J. Steel. JIP. HiLo48. RobertG. Bruce89. PseudoSudo. Ronhjones. Firsfron. Imagine&Engage. Acebrock. Frymaster. Gracefool. Kuru. Adam1213. Obradovic Goran. CanadianLinuxUser. Eternityglacier. JoeSmack. FreplySpang. Boomshadow. Valueyou. Dannyman. Bleavitt. CivilCasualty. Paul1337. PeterSymonds. Artaxiad.xxx. Crazyeddie. Sonjaaa. Tide rolls. Sigma 7. Public Menace. Marcus Qwertyus. DirkvdM. Zero1328. Brion VIBBER. Ajfweb. Extra999. Algont. Olof nord. Haseo9999.164. StickRail1. Premeditated Chaos. Peter Dontchev. Coffee Atoms. Rich Farmbrough. Mikon8er. Scepia. Sam Korn. Fordan. Rigurat. Emc2. Chris the speller. Horoporo. Pastore Italy. Dcoetzee. Jasper Deng. Antandrus. Maurice45. Kitaure. Benji2210. Giftiger wunsch. Travis Evans. Damian Yerrick. Ukdragon37. Cuchullain. Allenkelly. Dougmarlowe. Rhobite. Sillydragon. Closedmouth. DarkGhost89. DHN. Raffaele Megabyte. Wayward. Rjwilmsi. Ibigenwald lcaven. Jusdafax. Pakaran. Autoerrant. Digitalme. HaiyaTheWin. CanisRufus. Chamal N. KyraVixen. WAvegetarian. Kmoe333. Mboverload. Hanserer. WalterGR. Daishokaioshin. DenisDollfus. Alexjohnc3. THEN WHO WAS PHONE?. Fyyer. Smaffy. Rynhom44.php?oldid=526354611  Contributors: 0dd1. Sacada2. Siliconsoul. Rydra Wong. Alexius08. Fennec. CliffC. Ben10Joshua. Ellmist. Bookinvestor. Lemontea.81. Goldom. Superm401. GRAHAMUK. Decltype. Bro0010. Conversion script. Deadlyops. Mitch Ames. Qevlarr. Justinpwnz11233. Jarry1250. Scott A Herbert.rulzster. Midgrid. Storkk. Pearle. Biosthmors. Chris55. Mrbillgates. Octernion. KJS77. ReformatMe. Chriswiki. Papelbon467. Tobias Bergemann. Clawson. Phykyloman. Jpgordon. Regancy42. Kejoxen. Brewhaha@edmc. Slakr. Ericwest.com. Ntsimp. Utcursch. Slipknotmetal. PowerCycle. Adam Bishop. Elison2007. Versus22. Morryau. Fedayee. El C. Jiy. Radiokillplay. BOARshevik. TestPilot. Sir Nicholas de Mimsy-Porpington. KeKe. Calvin 1998. Mattinnson. Member. Braksus. Blanchardb. Sree v. Dddddgggg. Addshore. Random user 39849958. Copana2002. Lotje.. Antonrojo. Erik9. Kukini. Darr dude. Repy. 129. Soadfan112. Tricky Wiki44. TheRedPenOfDoom. Bullzeye. Eptin. Dimon879. Bility. Dlyons493. Lelapindore. Damian Yerrick. Spondoolicks. Ale jrb. Mercy11. Lowellian. Bjbutton. Bsadowski1. Rockfang. Nick. Anna Lincoln. Carnildo. Gurch.xxx. Ur nans. Ultraexactzz. MikeHobday. Tumland. 66. Ugnius. SteveBaker. Web-Crawling Stickler. La goutte de pluie. ErikHaugen. Pol098. 3centsoap. Zrulli. Chinakow.. Mhammad-alkhalaf. Dawnseeker2000. Huctwitha. WereSpielChequers. Fireworks. Monkeyman. Deagle AP. Glen. Ryanjunk. Fredrik. DevastatorIIC. Squids and Chips. Dreaded Walrus. Falcofire. Koavf. Tangotango. Aryeh Grosskopf. AFOH. Samuel.s. Reisio. ThaddeusB. Fubar Obfusco. Kbdank71. Falcon8765. Oducado. Oxymoron83. Cratbro. Ginnsu. Theroachman. Prophaniti. GandalfDaGraay. Thingg. Literacola. Tpbradbury. Shanel. Psynwavez. Mydogategodshat. Mylife2702. Timpeiris. Jan1nad. Samker. Pakaran. John. Mzub. Cpcheung. Xp54321. Dblaisdell. Mike4ty4. GregAsche. SkyWalker. Calmer Waters. Apecat. Posix memalign. Whatcanbrowndo. Bongwarrior. Phillyfan1111. Huangdi. Amren. JiFish. Reconsider the static. Compman12. Darkwind.msc. Triwbe. clown will eat me. CambridgeBayWeather. JayJasper. Heron. DarthSidious. Ewlyahoocom. Jdmurray. Air-con noble. Sephiroth storm. ApolloBoy. Huon. Nivix. Havok. Ashton1983. 2han3. TaintedMustard. Snowolf. Murraypaul. Mav12222. NHRHS2010. RunOrDie. Bar-abban. Dysepsion. Storm Rider. Jcvamp. ERcheck. Marianocecowski. Galoubet. Jcw69. 5 albert square. Gilliam. Mzub. Mike Rosoft. Alistair. Freakofnurture. Tocsin. TimVickers. Master2841. Winston365. Russell E. BorgQueen. 1984. Imaninjapirate. Lethe. RadioFan. RJaguar3.109. Gogo Dodo. Eeera. PaePae. Eliz81. Dragon Dave. SkyLined. Seriousch. Ged UK. Brossow. Komitsuki. Into The Fray. Huw Powell. Wkdewey. Cancaseiro. Bobo The Ninja. GamesSmash. Taw. Rettetast. Kablakang. Darthnader37. The Thing That Should Not Be. Wysprgr2005. Bobo192. Ceyockey. Favonian. Doczilla. Arcandam. Xbspiro. Poosebag. Mojibz. Xgamer4. The Anome. Jdforrester. Jacky15. Antilived. Healy6991. Edward. Knucmo2. Brucevdk. Moondyne. RichAromas. Vice regent. Zerotonin. DKproductions. Jor. Manhatten Project 2000. Ishikawa Minoru. Mattbrundage. Skate4life18. Tyomitch. WikHead. Daniel Olsen. Guanaco. Aitias. SpigotMap.rick. Evils Dark. Tommy2010. Tom harrison. Yidisheryid. Ck lostsword. Martarius. WakaWakaWoo20. Alansohn. Kokiri. Chairman S. Bubba hotep. Merovingian. Tom. Anonymouseuser. Zzuuzz. Ecthelion83. Solitude. Frenchman113. Aurush kazemini. MER-C. Rudy16. Alegjos. Macintosh User. Rob Hooft. Richardcavell. Savidan. Sega381. Leithp. Praesidium. Mario23. Omegatron. Jojit fb. KPH2293. Berkeley@gmail. Bruce1ee. Jmh649. Meno25. Spliffy. Asenine. Jannev. Euryalus.shankar. Jorcoga. Kostisl. Sniper120. Harksaw. Dialectric. Elockid. JamesQ2010. Leethax. Akuyume. Immunize. Romanm. Jono20201. Jonathan Hall. Easyas12c. Najoj. ElinorD. AlistairMcMillan. MikeVella. Bomazi. SchreiberBike.185. Warren. Edetic. Deli nk. Kizor. F. Fubar Obfusco. Goncalo. Irixman. Sander123. Dipics. Cynical.250. So Hungry. CalumH93. Aleahey. Boothy443. Bubble94. Gudeldar. Khfan93. Rossami. Davidron. Nmacu. Doradus. Sepetro. Aishwarya . Spidern. Stickee. Liftarn. Quantumor. Slaad. NawlinWiki. Mr. J800eb. Kingpin13. Dantheman531. Frevidar. Robert McClenon. Shankargiri. LarsBK. Cameron Scott. Gimmetrow. DougsTech. Bachrach44. Destin. Deltabeignet. Stephenchou0722. Hellosandimas. Lusanaherandraton. Srpnor. Compman12. Neutrality. Agnistus. J. SingDeep. రవిచంద్ర. TerraFrost. Jbarg. Nosferatus2007. Jackaranga. L337p4wn. Carre. Courcelles. Skier Dude. 1nt2. Clsdennis2007. M1ss1ontomars2k4. Jeff G. RB972. Drahgo. Minghong. Camw. Computafreak. Bcohea. ILovePlankton.Z. Eden5995. Java13690. Avoided. AlexWangombe. The Moose. Kernel. Miranda. Uncle G. Gunnar Kreitz. Abb615. RTG. Airplaneman. Andrewpmk. Birdfluboy.wikipedia. SimonP. Wrs1864. Blazemonkey. Dan100. Romal. Nakon. Washburnmav. Quarl. Waggers. Ninetyone. Froth. Suffusion of Yellow. Prashanthns. FleetCommand. DARTH SIDIOUS 2. Hanacy. Nikai. Can't sleep. G4rfunkel. Barek. Phocks. Bryan Derksen. TomasBat. Danielt998. Man It's So Loud In Here. ElSaxo. Bones000sw. Evercat. Rlove. Oliver202. DanielPharos. PatrickCarbone. AzaToth. Stephenb. Pacific ocean stiller ocean. Sfivaz. Tnxman307. Orioncaspar. Paranoid. Andrewlp1991. Graham87. ChrisHodgesUK. Antonio Lopez. David sancho. Philippe. Hervegirod. Legitimate Editor. JFreeman. Vrenator. Bmader. Sietse Snel. Wknight94. Nevyan. Fredil Yupigo. Javeed Safai. Jake Beech. Da31989. Wnzrf. Openstrings. Peter Winnberg. Gerardsylvester. Aborlan. Pogoman. Timothy Jacobs. MattGiuca. Baloo Ursidae. Frosty0814snowman. Entgroupzd. JonHarder. Never give in. Amcfreely. Green meklar. Jkonline. Andrewlp1991. Savetheozone. Malcolm Farmer. Cureden. Pursin1. Rhinestone42. Radiojon. Krich. Mormegil. Michael Hardy. Brian Crawford. Myself. Kindall. Sanjivdinakar. Orbst. Phearson. Sjakkalle. Feinoha.37. Khukri. TKD. CWii. MattieTK. Sgerbic. Senator Palpatine. Big Bird. Ghymes21. Hahnchen. Jy0Gc3. Mild Bill Hiccup. DVD R W. SWAdair. MrBosnia. Bluegila. Nataliesiobhan. FleetCommand. DataGigolo. Crakkpot. Wwwwolf.129. Glennforever. Che829. Canuckian89. Inzy. Mercadorios. Willking1979. Rkitko. Visor. Onebyte.package. Mmeiser. Marianian. Mminocha. Ajraddatz. Purgatory Fubar. RHaworth. Dysprosia. Listmeister. FF2010. Luna Santin. . Dureo. Shadowjams. Brianga. SF007. JFKenn. Taxisfolder. Bento00. Hu. Jpg1954. Bolmedias. Myanw. Twas Now. Evadb. Oxymoron83. Veinor. DocWatson42. Alu042. EliasAlucard. Kigali1. Rajnish357. Davis W. NumbNull. Hashar. Antimatt. MrBell. EhUpMother. Kehrbykid. Wayfarer. Andyjsmith. ZeroOne. ESkog. Bubba73. The Utahraptor. Closedmouth. TedE. Bernhard Bauer. Dainis. Insineratehymn. Riffic. Voxpuppet. Zyborg. Jobin RV. Widefox. Hydrogen Iodide. GloomyJD. Avastik. Kkrouni. Sbharris. Arvind007. Abynion08. SteinbDJ. KnowledgeOfSelf. Noctibus.. JoanneB. Coopercmu. Morwen. Minna Sora no Shita. Pol098. DreamTheEndless. ACM2. Alexd18. The Cunctator. Czeror. JoshuaArgent. Pathoschild. Magioladitis. Lzur. Fredtheflyingfrog. Karenjc. Kevin B12. SlowPhoton. VQuakr. Umapathy. Nivix. Janendra. Chimpso. Eneville. Fletcher707. Tim Chambers. Siliconov. Acroterion. Tengfred. Irish1348. Campoftheamericas. Minesweeper. Siroxo. Thomas Ash. Hasan. Hutcher. SpuriousQ. Lonyo. Mikitei. IHateMalware. Kazkaskazkasako. Guitaralex. Gggh. Boing! said Zebedee. RainbowOfLight. What!?Why?Who?. Zero Thrust. GyroMagician. Ckatz. Hunter. Bryan Derksen. AdjustShift. Conversion script. Benbread.xxx.org/w/index. Glen. Jesse Viviano. SEWilco.ca. Jolmos. Firsfron. Smkatz. Doshindude. Qa Plar. Mstrfishy. Born2killx. Astral9. Isaac Rabinovitch. Acalamari. Cyde. RedViking. Ohnoitsjamie. Andypandy. TrollVandal. Dino911. Footwarrior. BuickCenturyDriver. AlistairMcMillan. Rpresser. 54together. Hammer1980. Petri Krohn. Sanfranman59. K3nt0456. Mullibok. Pedro.mc. Tfine80. Luigifan. SS2005. Herd of Swine. Onebravemonkey. Grungen. Furrykef. Silver Edge. Tpk5010. S0aasdf2sf. Intelligentsium. Miketsa. Last Avenue. Astronaut. SpLoT. Jjk. Rror. Mufc ftw. Nazizombies!. Grm wnr. CMC. Sango123. TableManners. Alan. Kevin. Thatguyflint. Cwmhiraeth. Hezekiah957. John Vandenberg. VladimirKorablin. Danielmau. Mugunth Kumar. Sagaciousuk. Napsync. Golftheman. Leliro19. Nesky. Caramelldansener. Shanes. Dzubint. Askild. Arzanish. Ericwest. RoyBoy. Secretlondon. Chuunen Baka. Ohnoitsjamie. Spellmaster. Jclemens. Chrishmt0423. IvanLanin. Zoicon5.k. MakeRocketGoNow. Jaxl. MrOllie. Imroy. Ricecake42. Goodvac. MRFraga. Sci-Fi Dude. Mind23. GraemeL. Nfearnley. Drvikaschahal. Stefan. Kafziel. Aalolzore.

Parsiferon. One666. Gogo Dodo. Saibo. Roastingpan. 741 anonymous edits Backup  Source: http://en. CliffC. Isnow. Ohadgliksman. BroodKiller. Tmalcomv. Ryan Norton. James Foster. Abdull. Cikicdragan. Umapathy. Mattgirling. Stephen Turner. Reswobslc. Chaheel Riens. Robwingfield. Dtgm. Multiwikiswat. Dalahäst. Hm2k. Somearemoreequal. Blue520. Binarybits. Mendalus. Dsonline. Ozstrike. BillyPreset. Tedickey. Panda Madrid. Seo100. GraemeL. Wilky DiFendare. The Nameless. Voidxor. Palica. Blainster. Leahtwosaints. Boffy b. LizardJr8. Penubag. Rich Farmbrough. Josephs1. PopcornGoesTheWeasel. Kueensrÿche. Visualize. Mikewax. Jack O exiled. Pandawelch. Rivanov. 84 anonymous edits Botnet  Source: http://en. Moonriddengirl. Trurle. Derek farn. Lenoxus. Garas. Pingveno. Starionwolf. FDD. Tregoweth. Agil. Manway. 2001:67C:328:201:2986:D706:D76E:8B97. Pgk. AstareGod. Graham87. 894 anonymous edits Assembly language  Source: http://en. Sensiblekid. Proland. Na641. Danny. IceUnshattered. Colejohnson66. Frosted14. Dimo414. Zanimum. Wesley. Escape Orbit. Marokwitz. IanOsgood.wikipedia. SpareHeadOne. Autodmc. Arthena. SuperSmashBros. Redrose64. Abecedarius. TheTito. Kencf0618.qarta. Jeh. Rjwilmsi. Kubanczyk. Mxl. Gigs. Mortense. Topicle. Bugsguy. Starnestommy. Socrates2008. Σ. Miiszmylove. Public Menace. Wickipdica. Damian Yerrick. ChrisEich.org/w/index. JustKitten. Elison2007. Matt B. Mike Field. Flewis. Kremnin. Blakegripling ph. 5theye. Waffleatron3. Easygoeasycome. Gscshoyru. Bfitzh2o. Wernher. Andy Dingley. Jebus989. Toksyuryel. Versus22. Kaster. Kglavin. Phantomnecro. Excirial. Kl4m. SpuriousQ. Wwmbes. Sergey AMTL. LCP. Lzeltser.org/w/index.Article Sources and Contributors SiobhanHansa. Lamarmote. Materialscientist. Conversion script. Angusus. LemonMan. Ibbn. Janendra. Serych. Homo sapiens. Pyrospirit. Qxz. Chris G. Alhead. Zundark. Regancy42. Crotalus horridus. ReformatMe. Trevor MacInnis. DARTH SIDIOUS 2. Stu42j. Slashme. SoleraTec. Perfecto. Calculuslover800. BebyB. Kandr8. Discospinster. AlistairMcMillan. Tide rolls. BrokenSegue. Keilana. C45207. Mdanh2002. Ravensburg13. Isnow. Wrp103. Bluemoose. Gwern. Hoo man. Gomm. Falcon8765. Newmen1020304050. Everyking. ClementSeveillac. Chmod007. Beno1000. CardinalDan.. Ashley thomas80. Espoo. Cheeselet. Tzarius. Alexbatko. Cynical. Fmccown. Pakaran. Slightsmile.NETLover. Immunize. Krator. Bilbo1507.. Jukrat.php?oldid=499815001  Contributors: Ahunt. Gwernol. Anger22. Chealer. Shantavira. Heracles31. Hydrargyrum. Robert Merkel. Andre Engels. JohnCJWood. CanisRufus. Arfrever. Valwen. Uniwares. Laudaka. WalterGR. Slowking Man. Melovfemale. Mkcmkc. Can't sleep. Zenohockey.in. Philip Trueman. Michele. SteinbDJ. Femto. AcceleratorX. The Kinslayer. 16@r. Kbdank71. LOL. Praefectorian. Ferkelparade. Kwamikagami. Chatul. Qu4rk. Rfc1394. Mario Blunk. SuperAntivirus. Giftlite. Fluffernutter. Audriusa. Tim32. BodyTag. Solipsist. Galzigler. Zifert. BlueDevil. ChrisHodgesUK.cm. Tide rolls. Dawnseeker2000. S. Wmahan. Mustafazamany. Staszek Lem. Jerryobject. FleetCommand. MatthewGreber. VampWillow. Plati. Tgeorgescu. Arvindn. ZyMOS. RedWolf. Cameron Scott. Pol098. Pavix. Elving. Jth299. TheProject. Stefan.rego. Murray Langton. Jfmantis. Dfarrell07. Bongwarrior. Danceswithzerglings. Alfio. Shaw. Skyinfo. MER-C. Teles. Furrykef. Vlad. Kostes32. Stevemc81. Snesfm. Meaghan. Malijinx. JamieS93. Icenine378. Luicdsystems. Brhl. Execter. Allens. Struway. Affinanti3. Gilliam. Akhristov. Dwe0008. CesarB. Mendel. NJA. JonHarder. Pcguru66. Nasnema. Paul Mackay. Mothmolevna. Giobe2000. Nikai. TheMw2Genius. Stewartadcock. Muslim lo Juheu. Discospinster. Ham Pastrami. Kvedulv. Kbrose. Bluerasberry. Neustradamus. Emedlin1. Snezzy. Teenboi001.xxx. Uncle G. Ankitguptajaipur. Schultkl. Bumm13. Nanshu. Martynas Patasius. K1ngXSp3c1al. MCWNT. Hotdogger. Bigdumbdinosaur. Thanatos465. JorgePeixoto. GermanX. Wootonius. Wizardman. Locke Cole. Mild Bill Hiccup. IddiKlu. CUTKD. Eran. Frap. Enauspeaker. Awcohn76. Zvn. AnnaFrance. NawlinWiki. Hans Dunkelberg. Goa103. Okane. Pcap. Ruud Koot. Daniel Santos. Superjoel. Ohconfucius. Rocketrod1960. Can't sleep. The Monster. Jenseng. Borgx. Craig Pemberton. Popicon. Matturn. Inzy. Amin faghih. TheAMmollusc. Emperorbma. Kumarworld2. TurboForce. Rm1271. Jay. Michal Jurosz. CyberK. The Thing That Should Not Be.wikipedia. CanOfWorms. FleetCommand. Brian Helsinki. Gaius Cornelius. Dinoguy1000. Wereon. Smaffy. Gurch. Derek Ross. Joseph843. ReformatMe. WorldlyWebster. S. O.wap. Pictureuploader. Colonies Chris. Elsendero. 438 anonymous edits Bliss (virus)  Source: http://en. Tinnytintin. Troy 07. Bryan Derksen. Utcursch. 49oxen. DeanHarding. 90 . J. Surturz. Munishgoel4. Tommy2010. Pnm. Kbdank71. AdjustShift. Pnm. Lonwolve. Rohaneknathshinde459. Helloibrahim. Karn. Zginder. J7. SS2005. Jasper Deng. Rasmus Faber. EncMstr. Kairotic. Capi crimm. Miguelito Vieira. Mr. Hadal. Mozillaman. Georgest23. Stephen Gilbert. Aymatth2. Ap. Glane23. StealthFox. Burkestar. The Epopt. Khunglongcon. Austinmurphy. White 720.php?oldid=526689737  Contributors: 16@r. Tbhotch. SpooK. Freakmighty. Diflame. Slaryn. Smsarmad. Owl3638. MiNombreDeGuerra. Fred Bradstadt. Paul August. TeaDrinker. Astonmartini. Maltrap. Peter Flass. Pavel Vozenilek. Beland. TParis. THEN WHO WAS PHONE?.wikipedia. SoledadKabocha.php?oldid=526874784  Contributors: 0o64eva. Ahoerstemeier. Wi-king. 3Nigma. Akamad. Femto. Mellamokb. Marnegro. Robbe. Babajobu. Wknight8111. Xsxoxs. TheJC. Rotring. Mmernex. Mdwh. Ntsimp. Ronz. Zorxd. Coolv. CRGreathouse. Yuyujoke. Gondooley. The Thing That Should Not Be. PJonDevelopment. Red Prince. The Mad Bomber. Simon80. Utvik. Materialscientist. Patrickjk. Kirill Chiryasov. Frap. Richi. Zirix. Alansohn. Eagle246. 10014derek. Mavenkatesh. Jesant13. Trusilver. Longtt89. Athaenara. Archanamiya. Bsdlogical. Bryan Derksen. FluffyWhiteCat. Poolisfun. Caue. An-chan. ThomasHarte. Beland. Tanvir Ahmmed.org/w/index. Buhadram. Music Sorter. Tomasz Tybulewicz. Jimmyjza. Evil Monkey.Edmonton. Unyoyega. Pinethicket. Tcsetattr. Martlee78. A. Accatagon. Ma2001. Marasmusine. Materialscientist. Anonymous Dissident. Cuvtixo. Eds147eds. Fubar Obfusco. 25 anonymous edits Boot sector  Source: http://en. Diablosblizz. Bobblehead. Garo. MikeRS. Choogendyk. Ultimus. Geau. Blathnaid. Dragon DASH. Technopat. A8UDI. Tushard mwti. Whitehatnetizen. Staszek Lem. Wtmitchell. Oo7jeep. Mikellewellyn.Lt. Womanitoba. Mfisherkirshner. ZayZayEM. Gutsul. Kindall. Sahilm. Manatee0. Peter. PhilHibbs. Sether. Gioto. James086. Mindmatrix. Tobias Bergemann. Kmcdm. Born2cycle. Korg.Do!. Wavelength. Ashmoo. Stmrlbs. Vipinhari. Palica. Timsheridan. Vatrena ptica. Vid512. Jerome Charles Potts. Kvng. Irfanshaharuddin. Sir Nicholas de Mimsy-Porpington. Mats131. Suffusion of Yellow. Sanoj1234. BazookaJoe. Rfellows. Edward. Ahy1. Toothpaste95. R. Masgatotkaca. Bovineone. Mercy11. Wikipandaeng. Pdinhofer. Wallajam. Samwb123. Isilanes. Egladkih. Eptalon. Bigdumbdinosaur. Wikikiki. VB. Quadell. NightFalcon90909. Widr. Kku. JoeSmack. JoeBruno. Akyprian. Jacob. Zarel. Sop123. Theodolite. Keecheril. Piet Delport. Itappakeg. Timetosepp. Evice. ChazZeromus. Piotrus. Korinkami. Ospix.alessandrini. Tohd8BohaithuGh1. Capricorn42. Trusilver. Alan d. Anwar saadat. Lirane1. Atlant. The Thing That Should Not Be. JohnLai. Psz. Superm401. Snoyes. Frap. Heron. Rick Block. Brookie. Wikiklrsc.wikipedia. Ivan.x4. CultureDrone. ItsProgrammable. Dsavi. Pastore Italy. Ceyockey. JPHackworth. JavierMC. Swtpc6800. Sjconrad-mchedrawe. Crakkpot. Toussaint. Kalamkaar.sound. RainR. Longhair. Delpino.php?oldid=528361769  Contributors: 03vaseyj. Xymmax. SpeedyGonsales. Xxhopingtearsxx. Hellgi. Noone. Giddie. DanielPharos. Just Another Dan. Nigelj.delanoy. Ripdog2121. Dougmarlowe. Jeffrey Mall. Arichnad. CommonsDelinker. Spe88. FDD. Wjl2. Erotml. Shadow demon. Jeff G. Hornlitz. Dcoetzee. BDD. Darrien. CanadianLinuxUser. Piyush1992. Robb.php?oldid=528729952  Contributors: 10metreh. Nuno Brito.wikipedia. Nisha1987. Cybercobra. Rlandmann. Andres. Light current. Tijuana Brass. Michael Devore. Mike A Quinn.. FreelanceWizard. Ray Van De Walker. Miremare. 212. Bradlegar. Gökhan. Traxs7. ButOnMethItIs. Sleigh. Ale jrb. Tor Stein. SD6-Agent. Peterl. Reinderien. Chieffancypants. Weregerbil. HumphreyW. Intersofia. Yabba67. Rotundo. Liamscanlan. Epbr123. Public Menace. Nmcclana. Xeolyte. Mild Bill Hiccup. Doczilla. Askild. Lowellian. Pol098. Orbst. Haaninjo. W2bh. Tazchook. Andrei. Feezo. Boffob. Vmaldia. Seam123. Tarikes. MER-C. Slightsmile. Socrates2008. Guy Harris.stohr. Aecis. JaGa. Bokonon. Morte. HexaChord. Jpsowin. Spinality. JustAnotherMe. Evilfishy1. Nosferatus2007. HamburgerRadio. John of Reading. Aleph Infinity. Alleman. Gary09202000. DabMachine. A. CapitalR. Hm2k. ArchiSchmedes. Rjwilmsi. Swaq. Tonymec. TonyW. TheStarman. Yurik. Greensburger. Ohnoitsjamie. Pneuhaus. TheStarman. ElationAviation. SudoGhost.R. System86. Mujdat61. DouglasGreen. Jiveshwar. Smwikicn2007. Reaper Eternal. Vrenator. Calimero. R. Pedant17. Quarryman. Conan.g. Alerante. PamD. JonHarder. Rnsimmons. Krenair. Courcelles. Superchad. SkyWalker. Xp54321. Abdullahazzam. Stephenjudge. Woohookitty. Scientus. Rbakels. Ulric1313. Wikkid. Rich Farmbrough. Damian Yerrick. Expertour. Msikma. Sanbec. Trafton. Mirror Vax. Jeff Dinham. Emilinho. Virtual Particle. Shadowjams. Ahunt. El C. Rror. Kjp993. Nikai. Mwaisberg.org/w/index. Bigs slb. Singlemaltscotch. SimonD. Patrick. Rwmoekoe. Rzorshrp. JuventiniFan. Android Mouse. Stormy Ordos. Wernher. Serpent's Choice. Wayne Slam. Jdivakarla. TheDoober. SoWhy. Darktemplar. UncleDouggie. Andoceo. Seango65. Jaysbro. Fabiform. Stephenchou0722. LK20. Igoldste. Paresthesias. Jesse Viviano.wikipedia. Pladook. Rdnk. RobBrisbane. Supercoop. Dmbrunton. Alansohn. Popsracer. Wj32. Versageek. Aprzezdziek. DMWuCg. Hsinghsarao. Khattab01. LeaveSleaves. DennisDaniels. Hirzel. Chasingsol. Chris the speller. Monz. Misi91. Arbabarehman. Ronz. Download. Firewall-guy. Mkouklis. Intgr. Photoman365. Cmartincaj. Triedtool. Soumyasch. Devourer09. Tralala. Shlomke. RCX. Ghettoblaster. Teksquisite. Escape Orbit. Ultimus.php?oldid=524626394  Contributors: Agari. Dinhtuydzao. Romal. Rich Farmbrough. DevastatorIIC. Jesselang. Neon white. Omegatron. White Agent. Mac. Lkopeter. Abune. Hidbaty223. Elliman1. JiFish. Kurivaim. Jake 3325. Brage. Samsam3rd. Troels Nybo. 90. Velle. KD5TVI. Newspartnergroup. Leedeth. Pcb21. Anna Lincoln. JurgenHadley.188. Grizzly37. Wiki alf. Scipius. Stuart Morrow. TheRyan95. HamburgerRadio. Avinashm. Farqad. Hobart. Zx-man. SpuriousQ. LizardJr8. Moa3333. Lotusv82. Spalding. Vlnsudhish. Crispmuncher.jose. Javeed Safai. Herzleid. Jamesontai. A little mollusk. AlistairMcMillan. AlistairMcMillan. Mellum. Mykk. Oldhamlet. RadioActive. JamesBWatson. Arnos78. Vwollan.Odessa. Omegatron. Dexter Nextnumber. David Gerard. ViperSnake151. The Thing That Should Not Be. Dark Silver Crow. Epolk. Mathonius. Wik. Thurak13. clown will eat me. Sephiroth storm. Alexander. Shariqcsdn. Kubanczyk. Haiviet. Haseo9999. Fuzzbox. Tech2blog. Matthiaspaul. Phr. Ryanxo. Karafias. GFree. Cpiral. Angela. Thekillerpenguin. AntonST. Jeza87. Frap. Trijnstel. AnthonyQBachler. Narax. Mi8ka.Torpey. Blashyrk. Aitias. Warren. Lotje. Sanpnr. M7. Lzur. Iridescence. Melancholie. Reedy. Rockfang. Scott Gall. Th1rt3en. Thu. Sietse Snel. Spuernase. Mwtoews. Goodone121. Dawkcodave. Davidshq. Pearle. MrOllie. Emenid. Suffusion of Yellow. Andonic. Wereon. WPANI. Dead Horsey. Altenmann. Richard-in-florida. Yworo. Baylink. Softfreak. Phantomsteve. Armando. 28bytes. KP-Adhikari. Casascius. Raanoo. Avun. Mattinbgn. SF007. Konstable. Nuno Brito. Rocketshiporion. DekuDekuplex. IMSoP. Haseo9999. NawlinWiki. Tannin. Bevo. Jm546. AMRAN AL-AGHBARI. MP64. GunAlchemist. XJamRastafire. Chester Markel. Dxco. Chris Chittleborough. TBloemink. Paulsterne. Mindmatrix. DragonLord. MER-C. Sietse Snel. Mentifisto. JamesBWatson. PrimeYoshi. Neshemah. Xaver David. Dunxd. RexNL. Hmallett. Kralizec!. Badagnani. Another-anomaly. Emvee. Dtherrienexagrid. EasySCC. Cat333Pokemon. Binrapt. Christian List. Softlogica. Eptin. Hdt83. Syjsoc. Mike A Quinn. Kuru. VernoWhitney. Bornhj. Areebmajeed. Greenrd. Brolin Empey. Fourohfour. Zundark. Fredtheflyingfrog. Samker. Wfried. Pharaoh of the Wizards. Vobis132. Lenin1234. Beetstra. Carlos Porto. XP1. Chopin1810. Snowolf. WPANI. Koektrommel. DavidCary. Teply. Trapped34. Karada. Eisnel. Pnm. Violetness. Jorgon. RHaworth. AnakngAraw. Ewx. Suruena. Nakon. Uli. Woohookitty. Nemilar. Tomtheman5. Ramu50. DirkvdM. Chrisahn. General Trelane. Ka vijay. AlastairIrvine.Brawl777. SimonP. Furrykef.moore. Franklin. Wikiloop. Diannaa. Shaw. CliffC. Andreas Toth. Mean as custard. Greenrd. Relaxing. Dreamteamone. Backslash Forwardslash. Shadowjams. Tannin. Skypher. Danny Beaudoin. Kbdank71. Quux. Trotline. Perohanych. Although. Fæ. TAG. Bison bloke. OldCodger2. DavideAndrea. Tommy2010. NaBUru38. Ihatetoregister. ChongDae. Wrldwzrd89. RickK. Thumperward. Wolfmankurd. Arthurnyc. DMacks. Yworo.org/w/index. Corvus cornix. Tangotango. TheParanoidOne. Xenobiologista. I365. FleetCommand. Tempshill. SpeedyGonsales. Gannimo. Nandesuka. Fubar Obfusco. TigerShark. Anna Lincoln. Triskelios. Sfoskett. Alex. DerHexer. Woohookitty. Easyas12c. S0aasdf2sf. SashaRawwrr. Filemon. Kdakin. Kolega2357. LittleBenW. Emuguru. Evolve2k. William Allen Simpson. Shadanan. Beefball.Koslowski. Troymccluresf. Cumbiagermen. Eagleal. Minesweeper. Wengier. JC. Wavelength. Luckas Blade. Golftheman. KellyCoinGuy. RajahChacko. Nightstallion. Grafen. Meera123.org/w/index. Surv1v4l1st. Meinsla. Iaen. MasterProf. True Pagan Warrior. Fmiddleton. Vernalex. NERIUM. clown will eat me. Dieter Simon. Whkoh. B4hand. Turbulencepb. Dasnov. Hirebrand. Havanafreestone. EricR. Chaojoker. VMS Mosaic. LeaveSleaves. Apokrif. Sljaxon. Svarya.online2006. Hagerman. CiTrusD. Gnicol au. ESkog. Vrenator. Wiki alf. EvilKeyboardCat. Doug. Bryan Derksen. Bender235. Hu12. Gaius Cornelius. Alvestrand. Sploonie. Jettux. Vermorel. Yaronf. JamesBWatson. PatrickFisher. MrOllie. CyberSkull. Hvn0413. Vale Len. Tide rolls. Wre2wre. Moonlit Knight. Pinethicket. Nikhil Alex. Boston. RexNL. Beland. SilentC. ZimZalaBim. Subversive. GoldenMeadows. G7yunghi. Mcandre.19. Sam Korn. 580 anonymous edits Antivirus software  Source: http://en. Sonia. BENNYSOFT. Derekcslater. HenkeB. Galoubet. ShaunMacPherson. Piano non troppo. Ysangkok. Ckhung. Claunia. Gene Nygaard. Wadih7. MonstaPro. Helicopter34234. Zonination. Brick Thrower. Edward. Cquarksnow. Blah2. Salvidrim. TheKaneDestroyer. Cyan Gardevoir. Wernher. UBJ 43X. C45207. Versus22. SimonP. Ixfd64. Bender235. HJ Mitchell. Wizho. Lakshmin. Alan Liefting.

Fubar Obfusco. Mato. Tyw7. Bachrach44.org. Gamerzworld. Rkomatsu. LilHelpa. Den fjättrade ankan. GraemeL. Gogo Dodo. Lotje. Materialscientist. Maln98. Barkeep. Corwin8. Kamyar1979. Hqb.wikipedia. Guinness man. Oarchimondeo. TimMouraveiko. Eequor. Borkificator. Dysprosia. Dfrg. JoeSmack. Jakuzem. Abdull. Barts1a. Alialiac. Luxomni. Egil. Dewet. StuartBrady. Lastorset. Fedia. Albanaco. Dragan2. Gunnar Hendrich. Frap. Manionc.php?oldid=527546833  Contributors: Hunan131. Thiseye. PigFlu Oink. Mitch Ames. Mion. Ziyad en. OlEnglish. Hashar. TreasuryTag. Ramu50. Ham Pastrami. Bogdangiusca. MITalum. Wiwiwiwiwiwiwiwiwiwi. Sun Creator. Zoicon5. TheMandarin. Ka-Ping Yee. Sspecter. GlowBee. Milo03. DanielPharos. Robertb-dc. Oli Filth. Leszek Jańczuk. Skiidoo. PL290. Plop. Oneiros. Andros 1337. Avastik. Paul Foxworthy. Closedmouth. Harley16ss. Woohookitty. Isnow. Vonbraun. Joshwyant91. Jtg. Edward. Parthasarathy. Kudz75. Ignacionr. Jarhed. Dawnseeker2000. GoldDragon. CommonsDelinker. Guy M. Epbr123. Tim1988. ServeNow. Jason. DoubleBlue. Neurolysis. Small Boss.wikipedia. 54 anonymous edits Cryptovirology  Source: http://en. Woohookitty. Rktur. Smaug123. Vrenator.. SteveSims.). Wik. clown will eat me. Frap. Jim1138. TimBentley. Jasper Deng. Walloon. TomTheHand. WPANI. Goplat. Torreslfchero. Mark83. Fratrep. Qworty. THWoodman. Wesley R. Powellatlaw. Nosferatü. Zman2000. IndianGeneralist. Pauli133. Martinibra. NHRHS2010. Aeons. MamaGeek. Sjwheel. Nixdorf. RJBurkhart. Fuzheado. Noctibus. CliffC. CWenger. General Rommel. Juhtolv. Pomegranite. MrOllie. Torc2. Pyabo. Dcoetzee. Andy Marchbanks. WhisperToMe. Subzerobubbles. Souch3. NeonMerlin. Goldfndr. Bobrayner. Dratman. Jmax-. Sietse Snel. Oxfordwang. Conversion script. Canadianshoper. Narson. Ehheh. Nsteinberg. Ego White Tray. ColdShine. Mbell. GCarty. Yurivict. Henry Stanley.fasd. Jackfork. Lightmouse. Lawrence Cohen. AssetBurned. Sam Korn. Adpete. Quuxplusone. BigChicken. Guive37. Pastafarian32. Rami R. Cupidvogel. Dspradau. GHe. HLGallon. Ner102. Ellipi. Mindmatrix.andrew. Woodroar. Kurykh. Mattg82. Hserus. Tbutzon. Jadtnr1. Daniel Mahu. Crakkpot. Alarob. Pol098. Eptin. ScottyBerg. Joel7687. AVRS. Comphelper12. InFAN1ty. SaveThePoint. Deor. Rjwilmsi. Itsme2000. LrdChaos. Can't sleep. Franck Dernoncourt. MensaDropout. Canthusus. DanielPharos.org/w/index.org/w/index. Notheruser. Kotasik.kr.. Seth Ilys. DStoykov. Riana. Kiore. Evice. Tjic. Magicman3894. Althai. Gracefool. Dfense. GioCM. JoeSmack. Kerowren. Wavelength. Erik9. Smack. DanielPharos. Michael Frind. Marvin01. MDfoo. SAE1962. InShaneee. Gleeda. Bongwarrior. Jfmantis. Leuko. Vejvančický. Melab-1. Soumyasch. Dj ansi. TheParanoidOne. Neoneurone. Hamiltondaniel. Newnoise. Roger. Tedickey. LiDaobing. Swaroops24. Tiangua1830. Mboverload. SasaMaker. Goblin. Jaimee212. Doczilla. James McNally. Little Mountain 5. Kubanczyk. Rfc1394. Hitoride. Ghatziki. Mephistophelian. Aegicen. Iridescent. CyberSkull. Daev. Zundark. Cyda. Eiler7. Lyverbe. The guy on da moon. Andrewpmk. Mindmatrix. Calvinth123. Tobias382. RainR. Ahy1. Sander Säde. DmitTrix. Merletenney. Sephiroth storm. Twillisjr.grossman. Tannin. Khalid hassani. Bobrayner. Alansohn. HamburgerRadio. Sburke. JonHarder.delanoy. Hu12. Adib. Eequor. Rich Farmbrough. Pastore Italy. IoptaBan. Tpk5010. The Thing That Should Not Be. Mzub. RichardVeryard. Biblioteqa. Curatica. SimonP.250. Jdforrester. Umofomia. Trafton. Martyn Lovell. Mihai Damian. Techie guru. Ivan Pozdeev. Elarsen. Paul 012. Malcolm Farmer. Piano non troppo. 563 anonymous edits COM file  Source: http://en. Danhash. Szary89. Gfoley4. Runtime. Mosquitopsu.org/w/index. Katieh5584. Brion VIBBER. Pwitham. Enkrona. TreasuryTag. Wwwwolf. Roboshed. Sidasta. Excirial. Thumperward.php?oldid=525096391  Contributors: Adm. Eeekster. FlyHigh. Nsaa. Rs232. Guitarmankev1. David Gerard. SietskeEN. Speedeep. Can't sleep.kdfjk. Smaug123. PansikMaZer. CardinalDan. Piotrus. TwoOneTwo. Demizh. MetaManFromTomorrow. Rurik. Jjmerelo.php?oldid=523309182  Contributors: (. Hersfold. Unixguy. TheTrainEnthusiast. Matthiaspaul. KelleyCook. Brainwipe.Article Sources and Contributors Cyberdog958. Tassedethe. Mtxf. Derek Ross. Nono64. Shoy. StuffOfInterest. Firetrap9254. RCX. Coopercmu. Kalin. Kjkolb. Eurleif. K1Bond007. Matusqo. Vitthal in. Fenwayguy. Frap. DavidTangye. Fomalhaut71. Kollision. WalterGR. Moe Epsilon. LittleSmall. Parijata. David. Anbu121. Gerbrant. DarkfireInferno. RedWolf. Discospinster. Jarble. Jenny Wong. Minimosher. Paul. Brettz9. Modster. Rprpr. 526 anonymous edits Compression virus  Source: http://en. Jaimie Henry. Gulmammad. Christopher Mahan. John of Reading. Bento00. Kozuch. Furby100. Wiarthurhu. Ivhtbr. Ta bu shi da yu.wikipedia. Kaihsu. Arvindn. Lilac Soul. LeaveSleaves. DeadEyeArrow. Fennec. Neelix. Gamma. Qutezuce. MrOllie. Clicketyclack. Kusma. Dracker. Zabanio. Waerloeg. Iwebsurfer. Dlohcierekim. Jkelly. Paul Abrahams. Heracles31. Monkeyman. Sat84. Yachtsman1. LC. Koyaanis Qatsi. Luno. Snori. Efa. DARTH SIDIOUS 2. Fubar Obfusco. Paul Richter. Sperling. Lloydpick. PierreAbbat. Zifert. Yosri. Ghettoblaster. JeremyR. DnetSvg. Mogism. Dysprosia. Cellorelio. Pol098. Makeemlighter. Burntsauce. Jrtayloriv. Bongwarrior. Imfo. Leaflord. Scientus. HamburgerRadio. Trinite. Evil saltine. Uncle G. Mitch Ames. Ralos. AFA. SteveLoughran. Mild Bill Hiccup. DixonD. Rjwilmsi. Arvindn. Pnm. Kyng. S. Yyaflkaj. Dcsohl. Struthious Bandersnatch. Uncle Dick. Asterion. Intgr. Hooperbloob. Lowellian. Meatabex. Dekisugi. Binarygal. MrOllie. Gracefool. KelleyCook. Camembert. Slavik0329. Shaw. Pedant17. Avicennasis. Toussaint. Shuini. Jerk. Monty845. Bobo192. Syndicate. ReyBrujo. Ian Dalziel. Barakw. Int19h. JediKnyghte. Sinicixp. GiM. Ramaksoud2000. DVD R W. Yworo. Socal212. Miquonranger03. Mortense. Rich Farmbrough. WalterGR. Jbarre10. Gurch. Vacio. Awg1010. LokiClock. Yixin1996. A-Day. Faisal ALbarrak. Palica. Alejos. Gamgee. Gilliam. Erianna. Jon207. Corti. MathiasRav. Sculliam. Mszegedy. Wimt. RexNL. Philip Trueman. Superkc. Evercat. A. Jondel. Gtrmp. Magioladitis. Jigarbjpatel. The Anome. Gardar Rurak. Mrwojo. Donama. Alvin-cs. NYKevin. SchuminWeb. EscapingLife. Mantovanifabiomarco.M. Hintss. AnonMoos. West. Alansohn. 6 anonymous edits Computer insecurity  Source: http://en. NapoliRoma. Krellis. Mogh. DaveB549. Useerup. Heron. Noloader. Galoubet. Pcap. Tanath. Benley. Traveler100. Iridescent. BigDunc. Pmod. Epbr123. Novum. Bbi5291. Vividupper66. Christian Storm. Ingolfson. YUL89YYZ. Rossumund. Ww. Matt Crypto. Furlong.org/w/index. Jesse Viviano. A*-search. Dindon. ZayZayEM. Ww. KelleyCook. BWCNY. Guy Harris. Falcon8765. Zebediah49. Selket. Latka. Nate Silva. Apexprim8. NawlinWiki. Ryan Norton. Ffangs. Mscullin. Daicarus. Jerome Charles Potts. Schnoatbrax. Maximaximax. Freqsh0. Ww. Fæ. Ww. Milo03. King of Hearts. A930913. Dynabee. Eyu100. Versageek. TonyW. JLaTondre. clown will eat me. Modster. Husond. Sheitan. Clharker. Abelson. Augrunt.org/w/index. Harryboyles. KelleyCook. W Hukriede. Upholder. H2g2bob. Kingturtle. BAILOPAN. Fubar Obfusco.org/w/index. Kuru. Gerbrant. BurntSky. Wilinckx. Rodrigostrauss. Minesweeper. WalterGR. J. Feezo. Eleland. Mzima. Furrykef. Josh Parris. Tom Archer. Jclemens. Marshviperx. Poeloq. StaticGull. Aim Here. Logan. Aclyon.wikipedia. MER-C. Stephen Gilbert. Andres. TravisMunson1993. Wiki13. Crackitcert. Escape Orbit. Zvika. HamburgerRadio. Jeff G. AVRS. Maurice Carbonaro. Rick Block. Ptomes. Uncle G. Ferris37. Benjabean1. SS2005.wikipedia. Matt Crypto. Bender235. Celarnor. Amrishdubey2005. Bluefoxicy. Stellmach. Glassman. Derschueler. Alerante. Nattippy99. Luigifan.php?oldid=528948672  Contributors: (.. JohnValeron. Mygerardromance. Useingwere. Orphan Wiki. Stephen Gilbert. Efitu. Martial Law. Rjwilmsi. Amanda2423. Druiloor. Nohat. Jeepday. Jwkpiano1. Abach. Joseph Solis in Australia. CesarB. Ignatzmice. Richard Arthur Norton (1958. Wmahan. DS9 Voyager. Akadruid. MikyStack. 62 anonymous edits Computer worm  Source: http://en. Konstantin Veretennicov. Julesd. Luna Santin. Tyomitch. Rik G. Misza13. LykMurph. Lotje. Woohookitty.Light. Colfer2. Kralizec!. Fsiler. Rockpocket. Dark Mage. Beland. Lion891. Fanf. RedWolf. MatthewMastracci. Tom W. Shadowradiance. Marudubshinki. Rjwilmsi. 183 anonymous edits Computer surveillance  Source: http://en. Rpyle731. Evice. Alekjds. Jaericho. Meclee. RJaguar3. Schoen. Haya shiloh. Jonathanriley. Kungfuadam.php?oldid=513235962  Contributors: Adamlucasyoung. Mgnicholas. Emperorbma. Naddy. KneeLess. Sega381. UserGoogol. Davidiad. TreasuryTag. Capricorn42. Can't sleep. Wombdpsw. Intelligentsium. MunkyJuce69. Uberian22.php?oldid=528314201  Contributors: A More Perfect Onion. Andycjp. Pokemonblackds. Warren. Magioladitis. Mintleaf. S Larctia. ZeroOne. Dreaded Walrus. Jemappelleungarcon. CanisRufus.qarta. Sljaxon. Pikolas. Staeiou. Jkl. PeetMoss. Misza13. Stagefrog2. PHenry. Fredrik. M. William Avery. Zegoma beach. Borgx. Screenshotguy. MichaelBillington. Timwi. Bdesham. CactusWriter. Ente75. Ohnoitsjamie. FlyingToaster. Zenohockey. Weregerbil. Jbeacontec. Gogo Dodo. Object01. Jake Wartenberg. Siggimund. Astronautics. Edward. Ramu50. Nurg. JohnCD. Anabus.wikipedia. Palfrey.KOZHUHAROV. The Thing That Should Not Be. Barefootguru. CesarB. Josh Parris. ShaneKing. WikHead. TonyW. Dgw. Bachrach44. The Anome. Svick. Dralokyn. AlMac. CrazyChemGuy. Mentifisto.Mestel. Patrick. Minghong. Sprinting faster.. Diannaa. Herbythyme. Johnthehero. Bitethesilverbullet. Mav. Denisarona. Ciaran H. Sega381. RubberTyres. Dysprosia. Hede2000. HamburgerRadio. Skater. Beta16. RagingR2. Seaphoto. Furrykef. Hodja Nasreddin. Nixdorf. TimMouraveiko. Wirbelwind. Finlay McWalter. Mindmatrix. Ephix.Hammerhead. Exert. Omegatron. Superjag. TRANA1-NJITWILL. Ttul. Grafen. Lfstevens. Sbanker. DJ1AM. Pengo. Systemf. OlEnglish. The sunder king. David Gerard.wikipedia. Haakon. Matt. Rossd2oo5. Flipjargendy. Bevo74. Zeno Gantner. Uzume. Ummit. Plexa. Upi. Linktopast30. Ulm. DerHexer. Fieldday-sunday. Elsberry. Stevertigo. DavidSky. Gyvachius. DanielPharos. Abelon. TonyLechner. Lights. The Literate Engineer. Gorson78. Pp2314. Waggers. Damian Yerrick. Lim Bio Liong. Jesse Viviano. Pass a Method. Tempodivalse. DonDaMon. Thingg. StaticGull. Glane23. Kbolino. Allens. SemperSecurus. Dataphile. Rahul s55.org/w/index. The Earwig. Nilmerg. Victor Fors. Julesbarbie. Sundström. Shantavira. Happysailor. Ohnoitsjamie. Philip Trueman. Sephiroth storm. Psychonaut. Bovlb. Logan. RJHall. Vernalex. 668 anonymous edits Creeper (program)  Source: http://en. Tailsx1234. Trixter. Turtlelover123. KoshVorlon. DanielPharos. Rhobite. Euchiasmus. Lal Thangzom. Tom-. XXXSuperSnakeXXX. MikeSchinkel.php?oldid=516698002  Contributors: 16@r. Tyomitch. WAS 4. Zingus. ZayZayEM. Julesd. Ynhockey. Tobias Bergemann. Eliz81. Jasonma84. One. Nguyen Thanh Quang.g. RJHall. Jackson McArthur. Rwwww. Zzuuzz. Jesse Viviano. Jpbowen. Touisiau. PhilHibbs. Jebba. JonHarder. DStoykov. HisSpaceResearch.bit. Lambyte. McGeddon. Smyth. Wiki alf. Nyttend. Rich257. Mlaffs. Artem12345. Grahamrichter. Gracefool. S0aasdf2sf. Tothwolf. Wikibarista. Powerslide. Thine Antique Pen. Grunt. Frap. Milnivlek. Pnm. Jcc1. Dac04. Skyfiler. Atulsnischal. Ryk. CA387. OrenBochman. Bobo192. Yamamoto Ichiro. clown will eat me. Smjg. Sensalgo. Clicketyclack. WhisperToMe. Enviroboy. R. Forensicsguy.msc. Ewlyahoocom. Richard001. Eaefremov. Judzillah. Webclient101. Bhny. Smyth. Edward. THB. Addshore. Magioladitis. Ahoerstemeier. Djairhorn. Stdundon. ESkog. Yintan. Xaos. Pnm. Toolnut.monkey.org/w/index. Bunnyhop11. Noone. GatesPlusPlus. Rurik. DennisIsMe. Tleavy-NJITWILL. Tetraflexagon. Jsmethers. Oducado. Yidisheryid. Doug Bell. The Anome. Luckyherb. Freakofnurture. Praesidium.whitby. MrChupon. John Vandenberg. ST47. 43 anonymous edits 91 . Ligulem. HamburgerRadio. Gscshoyru. DylanBigbear. Rfc1394. Woohookitty. Mcmvanbree. MrDimwit64. Just Another Dan. Optimist on the run. Pwnage8. Sensiblekid. Luís Felipe Braga. Ianneub. Starwiz. Emurphy42. Impherring13. The Anome. Mark UK. Amakuha. PubliusFL. Xpclient. Jwoodger. Mcld. LittleOldMe old. Dan Guan. Camw. Snoyes. David Eppstein. Chadloder. Brockert. Giftlite. 57 anonymous edits Component Object Model  Source: http://en. Nikai. Valar. Nil Einne. Notjarvis. Bluetulip. Stickee. Wernher. Wnzrf. Gilliam. Seashorewiki. Bluemoose. Erik9. Moxfyre. Jack Bauer00. Pradameinhoff. Ravivr. Joolz. Cyp. RedWolf. Little Mountain 5.wikipedia. EJF. Zoicon5. Craigsjones. Danpoulton. TheJosh. Laurusnobilis. Underpants. Pnm. Glacialfox. Gzuckier. Ehheh. JiFish. Dante brevity. Herunar. Paulbeeb. Pstevens. Mikewax. Mirror Vax. Chetvorno. JoeSmack. Orderud. Fredrik. Bexz2000. Sephiroth storm. Cacycle. Becksguy. Cekli829. Nigelj. SqueakBox. S3000. Seven of Nine. Shanes.php?oldid=529106846  Contributors: 2dsea. Ghettoblaster. Pit. George A. Unfree. Ahoerstemeier. Hajatvrc. Demizh. MattTait. Crimson Instigator. AlanNShapiro. Simetrical. Ryan1918. DataWraith. Real decimic. VIKIPEDIA IS AN ANUS!. Matt Crypto. ZooFari. Reach Out to the Truth. Moa3333. ArnoldReinhold. Mild Bill Hiccup. Light current. AVand. Beland. Gilliam. Dpol. Very cheap. Ohnoitsjamie. Ygfperson. Beezhive. Wendal. Reliassen.roumani. Autoerrant. Greenstruck.

org/w/index.org/w/index.org/w/index.2.php?title=File:ClamTK3.08.wikipedia.png  License: GNU General Public License  Contributors: Michael Boelen et al File:Motorola 6800 Assembly Language.wikipedia.org/w/index.org/w/index.jpg  License: GNU General Public License  Contributors: Dave Mauroni File:ClamAV0.svg  License: Creative Commons Attribution-Sharealike 3.png  Source: http://en.svg  Source: http://en.agr. 1 Apr 2005 (UTC) File:Morris Worm.0  Contributors: Tom-b Image:PersonalStorageDevices.org/w/index.svg  License: Creative Commons Attribution-Sharealike 3.Image Sources.php?title=File:Rkhunter_Ubuntu.php?title=File:Motorola_6800_Assembly_Language.jpg  License: Creative Commons Attribution-Sharealike 2.jpg  Source: http://en. Licenses and Contributors Image:ClamTK3.wikipedia.org/w/index.png  License: GNU General Public License  Contributors: SourceFire Image:Rkhunter Ubuntu.0  Contributors: Gppande .php?title=File:Botnet.wikipedia.png  Source: http://en.2.95.95. Licenses and Contributors 92 Image Sources.php?title=File:ClamAV0. USA File:Conficker.php?title=File:Conficker.php?title=File:PersonalStorageDevices.png  License: Public Domain  Contributors: Swtpc6800 en:User:Swtpc6800 Michael Holley File:Botnet.org/w/index.wikipedia.png  Source: http://en.jpg  Source: http://en.svg  Source: http://en.wikipedia.agr.08.wikipedia.wikipedia.jpg  License: GNU Free Documentation License  Contributors: --agr 15:53.jpg  Source: http://en.0  Contributors: Go Card USA from Boston.php?title=File:Morris_Worm.

0/ .License 93 License Creative Commons Attribution-Share Alike 3.org/licenses/by-sa/3.0 Unported //creativecommons.

You're Reading a Free Preview