This action might not be possible to undo. Are you sure you want to continue?
A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another when its host (some form of executable code) is taken to the target computer, for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but most are surreptitious. This makes it hard for the average user to notice, find and disable and is why specialist anti-virus programs are now commonplace. Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware. Simply put, it is a program that reproduces. When it is executed, it simply makes one or more copies of itself. Those copies may later be executed to create still more copies, ad
infinitum. Typically, a computer virus attaches itself to another program, or rides on the back of another program, in order to facilitate reproduction. This approach sets computer viruses apart from other self-reproducing software because it enables the virus to reproduce without the operator’s consent. Compare this with a simple program called “1.COM”. When run, it might create “2.COM” and “3.COM”, etc., which would be exact copies of itself. Now, the average computer user might run such a program once or twice at your request, but then he’ll probably delete it and that will be the end of it. It won’t get very far. Not so, the computer virus, because it attaches itself to otherwise useful programs. The computer user will execute these programs in the normal course of using the computer, and the virus will get executed with them. In this way, viruses have gained viability on a world-wide scale. Actually, the term computer virus is a misnomer. It was coined by Fred Cohen in his 1985 graduate thesis, which discussed self-reproducing software and its ability to compromise so-called secure systems. Really, “virus” is an emotionally charged epithet. The very word bodes evil and suggests something bad. Even Fred Cohen has repented of having coined the term and he now suggests that we call these programs “living programs” instead. Personally I prefer the more scientific term self-reproducing automaton. That simply describes what such a program does without adding the negative emotions associated with “virus” yet also without suggesting life where there is a big question whether we should call something truly alive. However, I know that trying to re-educate people who have developed a bad habit is almost impossible, so I’m not going to try to eliminate or replace the term “virus”, bad though it may be. In fact, a computer virus is much more like a simple one-celled living organism than it is like a biological virus. Although it may attach itself to other programs, those programs are not alive in any sense. Furthermore, the living organism is not inherently bad, though it does seem to have a measure of self-will. Just as lichens may dig into a rock and eat it up over time, computer viruses can certainly dig into your computer and do things you don’t want. Some of the more destructive ones will wipe out everything stored on your hard disk, while any of them will at least use a few CPU cycles here and there.
Aside from the aspect of self-will, though, we should realize that computer viruses per se are not inherently destructive. They may take a few CPU cycles, however since a virus that gets noticed tends to get wiped out; the only successful viruses must take only an unnoticeable fraction of your system’s resources. Viruses that have given the computer virus a name for being destructive generally contain logic bombs which trigger at a certain date and then display a message or do something annoying or nasty. Such logic bombs, however, have nothing to do with viral self-reproduction. They are payloads— add-ons—to the self-reproducing code. When I say that computer viruses are not inherently destructive, of course, I do not mean that you don’t have to watch out for them. There are some virus writers out there who have no other goal but to destroy the data on your computer. As far as they are concerned, they want their viruses to be memorable experiences for you. They’re nihilists, and you’d do well to try to steer clear from the destruction they’re trying to cause. So by all means do watch out . . . but at the same time, consider the positive possibilities of what self-reproducing code might be able to do that ordinary programs may not. After all, a virus could just as well have some good routines in it as bad ones.
History of Computer Viruses
A Bit of Archeology
There are lots and lots of opinions on the date of birth of the first computer virus. I know for sure just that there were no viruses on the Babbidge machine, but the Univac 1108 and IBM 360/370 already had them ("Pervading Animal" and "Christmas tree"). Therefore the first virus was born in the very beginning of 1970s or even in the end of 1960s, although nobody was calling it a virus then. And with that consider the topic of the extinct fossil species closed.
Let's talk of the latest history: "Brain", "Vienna", "Cascade", etc. Those who started using IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in 3
1987-1989. Letters were dropping from displays, crowds of users rushing towards monitor service people (unlike of these days, when hard disk drives die from old age but yet some unknown modern viruses are to blame). Their computers started playing a hymn called "Yankee Doodle", but by then people were already clever, and nobody tried to fix their speakers - very soon it became clear that this problem wasn't with the hardware, it was a virus, and not even a single one, more like a dozen. And so viruses started infecting files. The "Brain" virus and bouncing ball of the "Pingpong" virus marked the victory of viruses over the boot sector. IBM PC users of course didn't like all that at all. And so there appeared antidotes. Which was the first? I don't know, there were many of them. Only few of them are still alive, and all of these antiviruses did grow from single project up to the major software companies playing big roles on the software market. There is also a notable difference in conquering different countries by viruses. The first vastly spread virus in the West was a bootable one called "Brain", the "Vienna" and "Cascade" file viruses appeared later. Unlike that in East Europe and Russia file viruses came first followed by bootable ones a year later. Time went on, viruses multiplied. They all were all alike in a sense, tried to get to RAM, stuck to files and sectors, periodically killing files, diskettes and hard disks. One of the first "revelations" was the "Frodo.4096" virus, which is far as I know was the first invisible virus (Stealth). This virus intercepted INT 21h, and during DOS calls to the infected files it changed the information so that the file appeared to the user uninfected. But this was just an overhead over MS-DOS. In less than a year electronic bugs attacked the DOS kernel ("Beast.512" Stealth virus). The idea of in visibility continued to bear its fruits: in summer of 1991 there was a plague of "Dir_II". But it was pretty easy to fight the Stealth ones: once you clean RAM, you may stop worrying and just search for the beast and cure it to your hearts content. Other, self encrypting viruses, sometimes appearing in software collections, were more troublesome. This is because to identify and delete them it was necessary to write special subroutines, debug them. But then nobody paid attention to it, until ... Until the new generation of
viruses came, those called polymorphic viruses. These viruses use another approach to invisibility: they encrypt themselves (in most cases), and to decrypt themselves later they use commands which may and may not be repeated in different infected files.
Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer to computer like a biological virus passes from person to person. Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the new virus particles bud off the cell one at a time, and the cell remains alive. A computer virus shares some of these traits. A computer virus must piggyback on top of some other program or document in order to launch. Once it is running, it can infect other programs or documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough similarities that the name sticks. People write computer viruses. A person has to write the code, test it to make sure it spreads properly and then release it. A person also designs the virus's attack phase, whether it's a silly message or the destruction of a hard disk. Why do they do it? There are at least three reasons: The first is the same psychology that drives vandals and arsonists. Why would someone want to break a window on someone's car, paint signs on buildings or burn down a beautiful forest? For some people, that seems to be a thrill. If that sort of person knows computer programming, then he or she may funnel energy into the creation of destructive viruses. The second reason has to do with the thrill of watching things blow up. Some people have a fascination with things like explosions and car wrecks. When you were growing up, there might have been a kid in your neighborhood who learned how to make
gunpowder. And that kid probably built bigger and bigger bombs until he either got bored or did some serious damage to himself. Creating a virus is a little like that -- it creates a bomb inside a computer, and the more computers that get infected the more "fun" the explosion. The third reason involves bragging rights, or the thrill of doing it. Sort of like Mount Everest -- the mountain is there, so someone is compelled to climb it. If you are a certain type of programmer who sees a security hole that could be exploited, you might simply be compelled to exploit the hole yourself before someone else beats you to it. Of course, most virus creators seem to miss the point that they cause real damage to real people with their creations. Destroying everything on a person's hard disk is real damage. Forcing a large company to waste thousands of hours cleaning up after a virus is real damage. Even a silly message is real damage because someone has to waste time getting rid of it. For this reason, the legal system is getting much harsher in punishing the people who create viruses.
2. Types of Computer Viruses
Viruses can be classified using multiple criteria: origin, techniques, types of files they infect, where they hide, the kind of damage they cause, the type of operating system or platform they attack etc. A single virus, if it is particularly complex, may come under several different categories. And as new viruses emerge, it may sometimes be necessary to redefine categories or, very occasionally, create new categories. The following are the most common types of viruses:
This type of virus hides permanently in the RAM memory. From here it can control and intercept all of the operations carried out by the system: corrupting files and programs that are opened, closed, copied, renamed etc. Resident viruses can be treated as file infector viruses. When a virus goes memory resident, it will remain there until the computer is switched off or restarted (waiting for certain triggers to activate it, such as a specific date and time). In the meantime it sits and waits in hiding, unless of course an antivirus can locate and eliminate it. Examples include: Randex, CMJ, Meve, and MrKlunky
These advanced viruses can create multiple infections using several techniques. Their objective is to attack any elements that can be infected: files, programs, macros, disks, etc. They are considered fairly dangerous due to their capacity to combine different infection techniques. Some examples include: Ywinz.
The principal aim of these viruses is to replicate and take action when they are run. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in and in directories that are specified in the AUTOEXEC.BAT file path. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted. Files infected with this type of virus can be disinfected, and completely restored to their original condition.
As one of the most popular types of viruses (with the black hats, anyway), a file-infector virus arrives embedded or attached to a computer program file — a file with an .EXE extension in its name. When the program runs, the virus instructions are activated along with the original program. The virus carries out the instructions in its code — it could delete or damage files on y our computer, attempt to implant itself within other program files on your computer, or do anything else that its creator dreamed up while in a nasty mood. The presence of a file-infector virus can be detected in two major ways: The size of a file may have suspiciously increased. If a program file is too big for its britches, a virus may account for the extra size. At this point, you need to know two things: o What size the file(s) should be when fresh from the software maker. You have all of this information written down somewhere, right? (I’m only kidding — I know a lot of “propeller heads” but no one who is that cautious.) o Whether the virus is a cavity seeker — a treacherous type that hides itself in the unused space in a computer program. Clever. Of course, your antivirus program will only know to look for a cavity seeker if. . . . The signature of a known virus turns up in an antivirus scan. The signature — a known, characteristic pattern that “fingerprints” a particular virus — is a dead giveaway that a virus is embedded within a program file — provided your antivirus software knows what to look for.
This type of virus is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected.
Infected files do not change size, unless the virus occupies more space than the original file, because instead of hiding within a file, the virus replaces the files content. The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content. Some examples of overwrite viruses include: Way, Trj.Reboot, Trivial.88.D
Companion viruses can be considered file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they "accompany" the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident viruses) or act immediately by making copies of themselves (direct action viruses). Some examples include: Stator, Asimov.1539, and Terrax.1069.
While less prevalent today, boot-sector viruses were once the mainstay of computer viruses. A boot-sector virus occupies the portion (sector) of a floppy disk or hard drive that the computer first consults when it boots up. The boot sector provides instructions that tell the computer how to start up; the virus tells the computer (in effect), While you’re at it, load me too — before you do anything else. Here’s the especially devious part: The virus writer knows that after the computer is started, the boot sector isn’t used. It’s pretty much ignored — the standard tools used to examine a floppy disk or hard drive won’t even look in the boot sector. Unless antivirus software is used, it’s difficult to detect a boot-sector virus. That’s partly because virus doesn’t occupy free space, change the amount of free space available, or change the size of any file on the floppy disk or hard drive. It’s pretending to be boot instructions. The
only traces of its presence may be (relatively subtle) effects such as excessive hard-drive activity or slowed processing Some examples of boot viruses include: Polyboot.B, AntiEXE.
The file allocation table or FAT is the part of a disk used to connect information and is a vital part of the normal functioning of the computer. This type of virus attack can be especially dangerous, by preventing access to certain sections of the disk where important files are stored. Damage caused can result in information losses from individual files or even entire directories.
Macro viruses infect files that are created using certain applications or programs that contain macros. These include Word documents (DOC extensions), Excel spreadsheets (XLS extensions), PowerPoint presentations (PPS extensions), Access databases (MDB extensions), Corel Draw etc. A macro is a small program that a user can associate to a file created using certain applications. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out, one by one. When a document containing macros is opened, they will automatically be loaded and may be executed immediately or when the user decides to do so. The virus will then take effect by carrying out the actions it has been programmed to do, often regardless of the program's built-in macro virus protection. There is not just one type of macro virus, but one for each tool: Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Access, Corel Draw, Lotus Ami Pro, etc. Some examples of macro viruses: Relax, Melissa.A, Bablas, and O97M/Y2K. 10
A worm is a different kind of malicious program: Once activated, it takes action by itself —it requires no human intervention to spread. A worm contains all the means necessary to spread from computer to computer with amazing, terrifying speed. In 2001, for example, the Code Red worm infected over 350,000 servers on the Internet in less than 14 hours. In 2003, the Sapphire/SQL Slammer worm spread worldwide in only 10 minutes, infecting at least 75,000 systems in that time. In 2002, a university researcher described a hypothetical “Flash Worm” which could, if engineered properly, spread to hundreds of thousands of servers in just a minute or two. We can hope that one stays hypothetical. But I wouldn’t bet on it. Worms are among the most feared phenomenon in large organizations, because they can start without warning and spread so quickly. They can bring a large organization to its knees in less time than even the most adept organization can realize that something is amiss. Some examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, and Mapson.
An operating system finds files by looking up the path (composed of the disk drive and directory) in which each file is stored. Directory viruses change the paths that indicate the location of a file. By executing a program (file with the extension .EXE or .COM) which has been infected by a virus, you are unwittingly running the virus program, while the original file and program have been previously moved by the virus. Once infected it becomes impossible to locate the original files.
Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses do not reproduce by infecting other files, nor do they self-replicate like worms. Trojans work in a similar way to their mythological namesake, the famous wooden horse that hid Greek soldiers so that they could enter the city of Troy undetected. They appear to be harmless programs that enter a computer through any channel. When that program is executed (they have names or characteristics which trick the user into doing so), they install other programs on the computer that can be harmful. A Trojan may not activate its effects at first, but when they do, they can wreak havoc on your system. They have the capacity to delete files, destroy information on your hard drive and open up a backdoor to your system. This gives them complete access to your system allowing an outside user to copy and resend confidential information. Some examples of Trojans are: IRC.Sx2, Trifor.
Encryption is a technique used by viruses so that they cannot be detected by antivirus programs. The virus encodes or encrypts itself so as to be hidden from scans, before performing its task it will decrypt itself. Once it has unleashed its payload the virus will then go back into hiding. Examples of encrypted viruses include: Elvira, Trile.
2.14. Logic Bombs
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer
may hide a piece of code that starts deleting files (such as the salary database), should they ever leave the company. Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Many viruses attack their host systems on specific dates, such as Friday the 13th or April fool’s Day. Trojans that activate on certain dates are often called "time bombs". To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs.
In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence. Most anti-virus software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates. Encryption is the most commonly used method of achieving polymorphism in code. Malicious programmers have sought to protect their polymorphic code from this virusscanning strategy by rewriting the unencrypted decryption engine each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such malware. The first known polymorphic virus was written by Mark Washburn. The virus, called 1260, was written in 1990. A more well-known polymorphic virus was invented in 1992 by the Bulgarian cracker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition from antivirus-software. 13
2.16. False Viruses
These messages are often confused for viruses but are something else entirely. It is important to know the difference between a real virus threat and a false virus. Hoaxes are not viruses, they are false messages sent by e-mail, warning users of a nonexistent virus. The intention is to spread rumors causing panic and alarm among users who receive this kind of information. Occasionally, hoax warnings include technical terms to mislead users. On some other occasions, the names of some press agencies are mentioned in the heading of the warnings. In this way, the hoax author attempts to trick users into believing that they have received a warning about a real virus. Hoaxes try to fool the user into performing a series of actions to protect themselves from the virus, sometimes leading to negative results. Users are advised not to pay attention to these misleading warnings and delete these messages once received without sending them to others.
3. Infection Strategies
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach does not seem very successful, however.
4. Vectors and hosts
Viruses have targeted various types of transmission media or hosts.
Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms). Application-specific script files (such as Telix-scripts) Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)
• • •
Cross-site scripting vulnerabilities in web applications Arbitrary computer files. An exploitable buffer overflow, format string, race condition or other exploitable bug in a program which reads the file could be used to trigger the execution of code hidden within it. Most bugs of this type can be made more difficult to exploit in computer architectures with protection features such as an execute disable bit and/or address space layout randomization.
PDFs, like HTML, may link to malicious code. In operating systems that use file extensions to determine program associations (such as Microsoft Windows), the extensions may be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For example, a executable may be created named "picture.png.exe", in which the user sees only "picture.png" and therefore assumes that this file is an image and most likely is safe.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. 4.1.1.Types of XSS • Non-Persistent
The non-persistent or Type 1 cross-site scripting hole is also referred to as a reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If invalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If any occurrence of the search terms is not HTML entity encoded, an XSS hole will result. At first blush, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in Type 0
vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities.
Non-persistent XSS vulnerabilities in Google could allow its members to be impersonated when payloads used UTF-7 encoding.
The persistent or Type 2 XSS vulnerability is also referred to as a stored or secondorder vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, file system, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic
example of this is with online message boards, where users are allowed to post HTML formatted messages for other users to read. Persistent XSS can be more significant than other types because an attacker's malicious script is rendered more than once. Potentially, such an attack could affect a large number of users with little need for social engineering, and the application could be infected by a cross-site scripting virus or worm. The methods of injection can vary a great deal, and an attacker may not need to use the web application itself to exploit such a hole. Any data received by the web application (via email, system logs, etc) that can be controlled by an attacker must be encoded prior to re-display in a dynamic page, else an XSS vulnerability of this type could result.
A persistent cross-zone scripting vulnerability and computer worm allowed execution of arbitrary code and listing of file system contents via a QuickTime movie on MySpace.
4.1.2.Mitigation Avoiding XSS requires action on the part of the user. Defense against XSS falls also to content and web application developers, and to browser vendors. Users can usually disable scripting, several best practices exist for content developers, web applications can be tested and reviewed before release, and some browsers today implement a few accesscontrol policies. • Early policies
control according to their preferences. For example, digital signatures might identify scripts and their source to the user or user agent before a script can load. • Escaping and filtering
One way to eliminate some XSS vulnerabilities is to encode locally or at the server all user-supplied HTML special characters into character entities, thereby preventing them from being interpreted as HTML. Unfortunately, users of many kinds of web applications (commonly forums and webmail) wish to use some of the features HTML provides. Some web applications such as social networking sites like MySpace and mainstream forum and blog software like WordPress and Movable Type attempt to identify malicious HTML constructs, and neutralize them, either by removing or encoding them. But due to the flexibility and complexity of HTML and related standards, and the continuous addition of new features, it is almost impossible to know for sure if all possible injections are eliminated. Capabilities differ greatly among filtering systems and as of 2007 in Google's case were being written in house. In order to eliminate certain injections, any server-side algorithm must reject broken HTML, understand how every browser will interpret broken HTML, or (preferably) fix the HTML to be well-formed using techniques akin to those of HTML Tidy. • Input validation
Input validation for all potentially malicious data sources is another way to mitigate XSS. This is a common theme in application development (even outside of web development) and is generally very useful. For instance, if a form accepts some field, which is supposed to contain a phone number, a server-side routine could remove all characters other than digits, parentheses, and dashes, such that the result cannot contain a script. Input validation may help to mitigate other injection attacks such as SQL injection as well. While effective for most types of input, there are times when an application, by design, must be able to accept special HTML characters, such as '<' and '>'. In these situations, HTML entity encoding is the only option.
Besides content filtering, other methods for XSS mitigation are also commonly used. One example is that of cookie security. Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies. To mitigate this particular threat (though not the XSS problem in general), many web applications tie session cookies to the IP address of the user who originally logged in, and only permit that IP to use that cookie. This is effective in most situations (if an attacker is only after the cookie), but obviously breaks down in situations where an attacker is behind the same NATed IP address or web proxy. IE (since version 6) and Firefox (since version 188.8.131.52) have an HttpOnly flag which allows a web server to set a cookie that is unavailable to client-side scripts but while beneficial, the feature does not prevent cookie theft nor can it prevent attacks within the browser. • Eliminating scripts
The most significant problem with blocking all scripts on all websites by default is substantial reduction in functionality and responsiveness (client-side scripting can be much faster than server-side scripting because it does not need to connect to a remote server and the page or frame does not need to be reloaded). Another problem with script blocking is that many users do not understand it, and do not know how to properly secure their browsers. Another drawback is that many sites do not work without client-side scripting, forcing users to disable protection for that site and opening their systems to the threat. 4.1.3.Related vulnerabilities Several classes of vulnerabilities or attack techniques are related to XSS. Cross-zone scripting exploits "zone" concepts in software and usually executes code with a greater privilege. HTTP header injection can be used to create cross-site scripting conditions in addition to allowing attacks such as HTTP response splitting. Cross-site request forgery (CSRF/XSRF) is almost the opposite of XSS, in that rather than exploiting the user's trust in a site, the attacker exploits the site's trust in the client software, submitting requests that the site believes come from its own authenticated users. SQL injection exploits vulnerability in the database layer of an application. When user input is incorrectly filtered any SQL statements can be executed by the application. Content spoofing is a similar attack where markup language is injected without script with the intention of presenting unintended content as native to the site instead of running malicious code in a victim's browser.
5. Virus Methods to avoid detection
In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software; however, especially those which maintain and date cyclic redundancy checks on file changes.
Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them. As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.
5.1.Avoiding bait files and other undesirable hosts
A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:
Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.
Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait
files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'. A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.
Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make 25
detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
5.4.Encryption with a variable key
A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but that probably isn't required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious. An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A wellwritten polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a
polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate. Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.
6. Vulnerability and countermeasures
In computer security, the term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, or a SQL injection. A security risk is classified as vulnerability if it is recognized as a possible means of attack. A security risk with one or more known instances of working and fullyimplemented attacks is classified as an exploit.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities. 6.1.1.Causes of Vulnerability
Password Management Flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
Fundamental Operating System Design Flaws: The operating system designer chooses to enforce sub optimal policies on user/program management. For example operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator.
Software Bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application through (for *Unchecked User Input – The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs)).
6.1.2.Identifying and removing vulnerabilities Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system. Vulnerabilities have been found in every major operating system including Windows, Mac OS, various forms of UNIX and Linux, OpenVMS, and others. The only way to
reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).
6.2.The vulnerability of operating systems to viruses
Just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses. This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office suites. The users of Microsoft software (especially networking software such as Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses. Microsoft software is targeted by virus writers due to their desktop dominance, and is often criticized for including many errors and holes for virus writers to exploit. Integrated and non-integrated Microsoft applications (such as Microsoft Office) and applications with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking features) are also particularly vulnerable. Although Windows is by far the most popular operating system for virus writers, some viruses also exist on other platforms. Any operating system that allows third-party programs to run can theoretically run viruses. Some operating systems are less secure than others. Unix-based OS's (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their own protected memory space. An Internet based research revealed that there were cases when people willingly pressed a particular button to download a virus. Security analyst Didier Stevens ran a half year advertising campaign on Google AdWords which said "Is your PC virus-free? Get it infected here!” The result was 409 clicks.
As of 2006, there are relatively few security exploits targeting Mac OS X (with a Unixbased file system and kernel). The number of viruses for the older Apple operating systems, known as Mac OS Classic, varies greatly from source to source, with Apple stating that there are only four known viruses, and independent sources stating there are as many as 63 viruses. It is safe to say that Macs are less likely to be targeted because of low market share and thus a Mac-specific virus could only infect a small proportion of computers (making the effort less desirable). Virus vulnerability between Macs and Windows is a chief selling point, one that Apple uses in their Get Mac advertising. Windows and UNIX have similar scripting abilities, but while UNIX natively blocks normal users from having access to make changes to the operating system environment, older copies of Windows such as Windows 95 and 98 do not. In 1997, when a virus for Linux was released – known as "Bliss" – leading antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows. The Bliss virus may be considered characteristic of viruses – as opposed to worms – on UNIX systems. Bliss requires that the user run it explicitly (so it is a Trojan), and it can only infect programs that the user has the access to modify. Unlike Windows users, most UNIX users do not log in as an administrator user except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked.
6.3.Role of software development
Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies that produce large numbers of bugs will generally also produce potential exploits.
6.4.Anti-virus software and other preventive measures
Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection are using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for. Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats. One may also minimize the damage done by viruses by making regular backups of data (and the Operating Systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent). A notable exception to this rule is the Gammima virus, which propagates via infected removable media (specifically flash drives). If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus (so long as a virus or infected file was not copied onto the CD/DVD). Likewise, an Operating System on a bootable can be used to start the computer if the installed Operating Systems become unusable. Another method is to use different Operating Systems on different file systems. A virus is not likely to affect both. Data backups can also be put on different file systems. For example,
Linux requires specific software to write to NTFS partitions, so if one does not install such software and uses a separate installation of MS Windows to make the backups on an NTFS partition, the backup should remain safe from any Linux viruses. Likewise, MS Windows can not read file systems like ext3, so if one normally uses MS Windows, the backups can be made on an ext3 partition using a Linux installation.
Once a computer has been compromised by a virus, it is usually unsafe to continue using the same computer without completely reinstalling the operating system. However, there are a number of recovery options that exist after a computer has a virus. These actions depend on severity of the type of virus. 6.5.1.Virus removal One possibility on Windows Me, Windows XP and Windows Vista is a tool known as System Restore, which restores the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files or also exists in previous restore points. Some viruses, however, disable system restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor. Administrators have the option to disable such tools from limited users for various reasons. The virus modifies the registry to do the same, except, when the Administrator is controlling the computer, it blocks all users from accessing the tools. When an infected tool activates it gives the message "Task Manager has been disabled by your administrator.", even if the user trying to open the program is the administrator. Users running a Microsoft operating system can access Microsoft's website to run a free scan, provided they have their 20-digit registration number.
6.5.2.Operating system reinstallation Reinstalling the operating system is another approach to virus removal. It involves simply reformatting the OS partition and installing the OS from its original media, or imaging the partition with a clean backup image (taken with Ghost or Acronis for example). This method has the benefits of being simple to do, can be faster than running multiple anti-virus scans, and is guaranteed to remove any malware. Downsides include having to reinstall all other software as well as the operating system. User data can be backed up by booting off of a Live CD or putting the hard drive into another computer and booting from the other computer's operating system (though care must be taken not to transfer the virus to the new computer).
7. Attack tree
Attack trees are conceptual diagrams of threats on computer systems and possible attacks to reach those threats. The concept was suggested by Bruce Schneier, CIO of Counterpane Internet Security. Attack trees are similar to threat trees. Threat trees have been discussed by Edward Amoroso.
Attack trees are multi-leveled diagrams consisting of one root, leaves, and children. From the bottom up, child nodes are conditions which must be satisfied to make the direct parent node true; when the root is satisfied, the attack is complete. Each node may be satisfied only by its direct child nodes. A node may be the child of another node; in such a case, it becomes logical that multiple steps must be taken to carry out an attack. For example, consider classroom computers which are secured to the desks. To steal one, the securing cable must be cut or the lock unlocked. The lock may be unlocked by picking or by obtaining the key. The key may be obtained by threatening a key holder, bribing a keyholder, or taking it from where it is
stored (e.g. under a mouse mat). Thus a four level attack tree can be drawn, of which one path is (Bribe Keyholder, Obtain Key, Unlock Lock, and Steal Computer). Note also that an attack described in a node may require one or more of many attacks described in child nodes to be satisfied. Our above condition shows only OR conditions; however, an AND condition can be created, for example, by assuming an electronic alarm which must be disabled if and only if the cable will be cut. Rather than making this task a child node of cutting the lock, both tasks can simply reach a summing junction. Thus the path ((Disable Alarm,Cut Cable),Steal Computer) is created. Attack trees are related to the established fault tree formalism. Fault tree methodology employs Boolean expressions to gate conditions when parent nodes are satisfied by leaf nodes. By including apriori probabilities with each node, it is possible to perform calculate probabilities with higher nodes using Bayes Rule. However, in reality accurate probability estimates are either unavailable or too expensive to gather. With respect to computer security with active participants (i.e., attackers), the probability distribution of events are probably not independent nor uniformly distributed, hence, naive Bayesian analysis is unsuitable.
Attack tree for computer viruses. Here we assume a system such as Windows NT, where not all users have full system access. All child nodes operate on OR conditions.
Attack trees can become largely complex, especially when dealing with specific attacks. A full attack tree may contain hundreds or thousands of different paths all leading to completion of the attack. Even so, these trees are very useful for determining what threats exist and how to deal with them. Attack trees can lend themselves to defining an information assurance strategy. It is important to consider, however, that implementing policy to execute this strategy changes the attack tree. For example, computer viruses may be protected against by refusing the system administrator access to directly modify existing programs and program folders, instead requiring a package manager be used. This adds to the attack tree the possibility of design flaws or exploits in the package manager. One could observe that the most effective way to mitigate a threat on the attack tree is to mitigate it as close to the root as possible. Although this is theoretically sound, it is not usually possible to simply mitigate a threat without other implications to the continued operation of the system. For example, the threat of viruses infecting a Windows system may be largely reduced by using NTFS instead of FAT file system so that normal users are unable to modify installed programs. Implementing this negates any possible way, foreseen or unforeseen, that a normal user may come to infect the system with a virus; however, it also requires that users switch to an administrative account to carry out administrative tasks, thus creating a different set of threats on the tree and more operational overhead.
8. Adware, Malware, and keystroke logging
Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware
are also spyware and can be classified as privacy-invasive software. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user. Adware has been criticized because it usually includes code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge. This practice has been dubbed spyware and has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center. Noted privacy software expert Steve Gibson of Gibson Research explains: "Spyware is any software (that) employs a user's Internet connection in the background (the so-called 'backchannel') without their knowledge or explicit permission. Silent background use of an Internet 'backchannel' connection must be preceded by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed consent for such use. Any software communicating across the Internet absent of these elements is guilty of information theft and is properly and rightfully termed: Spyware." Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported. Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements. Adware can also download and install PUPs. 8.1.1.Prevention and detection Programs have been developed to detect, quarantine, and remove spyware. As there are many examples of adware software that are also spyware or malware, many of these detection programs have been developed to detect, quarantine, and remove adware as well. Among the more prominent of these applications are Ad-Aware and Spybot - Search
& Destroy. These programs are designed specifically for spyware detection and will not detect viruses, although some commercial antivirus software can also detect adware and spyware, or offer a separate spyware detection package.
Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several American states, including California and West Virginia. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs. Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications." According to F-Secure, "As much malware was produced in 2007 as in the previous 20 years altogether". Malware's most common pathway from criminals to users is through the Internet, by email and the World Wide Web. 8.2.1.Malware Classification • Infectious malware: viruses and worms
The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program which has infected some executable software and which causes that software, when run, to spread the virus to other executable software. Viruses may also contain a payload which performs other actions, often malicious. A worm, on the other hand, is a program which actively transmits itself over a network to infect other computers. It too may carry a payload. These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms. Some writers in the trade and popular press appear to misunderstand this distinction, and use the terms interchangeably. • Concealment: Trojan horses, rootkits, and backdoors Trojan horses For a malicious program to accomplish its goals, it must be able to do so without being shut down, or deleted by the user or administrator of the computer it's running on. Concealment can also help get the malware installed in the first place. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or Trojan. Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting all the user's files, or more commonly it may install further harmful software into the user's system to serve the creator's longer-term goals. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks.
One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement which states the behavior of the spyware in loose terms, and which the users are unlikely to read or understand. Rootkits Once a malicious program is installed on a system, it is often useful to the creator if it stays concealed. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a UNIX system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program. Some malicious programs contain routines to defend against removal: not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing system: “Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.” Similar techniques are used by some modern malware, wherein the malware starts a number of processes which monitor one another and restart any process which is killed off by the operator.
Backdoors A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed, in order to allow the attacker access in the future. The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods. • Malware for profit: spyware, botnets, keystroke loggers, and dialers
During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank (although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue. Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient. Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the
creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court. Another way that financially-motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks. In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures. Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items. Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user. • Data-stealing malware 41
Data-stealing malware is a web threat that divests victims of personal and proprietary information with the intent of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy information will fall into the data-stealing malware category. Characteristics of data-stealing malware o Does not leave traces of the event The malware is typically stored in the local cache which is routinely flushed The malware may be installed via a drive-by-download process The website hosting the malware as well as the malware is generally temporary or rogue o Frequently changes and extends its functions It is difficult for antivirus software to detect final payload attributes due to the combinations of malware components The malware uses multiple file encryption levels Malware kits sold via underground forums are able to generate different files on-the-fly o Thwarts Intrusion Detection Systems (IDS) after successful installation There are no perceivable network anomalies The malware hides in web traffic The malware is stealthier in terms of traffic and resource use
o Thwarts disk encryption Data is stolen during decryption and display The malware can monitor keystrokes and passwords
o Thwarts Data Loss Prevention (DLP)
Leakage protection hinges on metadata tagging, not everything is tagged Miscreants can use encryption to port data
8.2.2.Vulnerability to malware In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application. Various factors make a system more vulnerable to malware:
Homogeneity – e.g. when all computers in a network run the same OS, if you can hack that OS, you can break into any computer running it. Defects – most systems containing errors which may be exploited by malware. Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be executed without the user’s agreement. Over-privileged users – some systems allow all users to modify their internal structures. Over-privileged code – most popular systems allow code executed by a user all rights of that user.
An often cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance. Most systems contain bugs which may be exploited by malware. A typical example is the buffer overrun, in which an interface designed to store data in a small area of memory allows the caller to supply more data than will fit. This extra data then overwrites the interface's own structure. In this way malware can force the system to execute malicious code, by replacing legitimate code with its own payload.
Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media. In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications. Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be disguised. Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from un-trusted sources. It is also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable. 8.2.3.Anti-malware programs
As malware attacks become more frequent, attention has begun to shift from viruses and spyware protection, to malware protection, and programs have been developed to specifically combat them. Anti-malware programs can combat malware in two ways: 1. They can provide real time protection against the installation of malware software on a computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-malware software scans all incoming network data for malware software and blocks any threats it comes across. 2. Anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a computer. This type of malware protection is normally much easier to use and more popular. This type of anti-malware software scans the contents of the windows registry, operating system files, and installed programs on a computer and will provide a list of any threats found, allowing the user to choose what which files to delete or keep, or compare this list to a list of known malware components, removing files which match. Real-time protection from malware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent malware. In some cases, it may also intercept attempts to install startup items or to modify browser settings. Because many malware components are installed as a result of browser exploits or user error, using security software (some of which are anti-malware, though many are not) to "sandbox" browsers (essentially babysit the user and their browser) can also be effective to help restrict any damage done.
Keystroke logging (often called keylogging) is a method of capturing and recording user keystrokes. The technique and name came from before the era of the graphical user interface; loggers nowadays would expect to capture mouse operations as well. Keylogging can be useful to determine sources of errors in computer systems, to study 45
how users interact and access with systems, and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for both law enforcement and law-breaking—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. Keyloggers are widely available on the Internet. There are currently two types of keylogging methods, hardware and software based. 8.3.1.Keystroke Application Keystroke logging can be achieved by both hardware and software means. Hardware key loggers are commercially available devices which come in three types: inline devices that are attached to the keyboard cable, devices which can be installed inside standard keyboards, and actual replacement keyboards that contain the key logger already built-in. The inline devices have the advantage of being able to be installed instantly on desktop computers without integrated keyboards. When used covertly, inline devices are easily detected by a glance at the keyboard connector plugged into the computer. Of the three types, the most difficult to install is also the most difficult to detect. The device that installs inside a keyboard (presumably the keyboard the target has been using all along) requires soldering skill and extended access to the keyboard to be modified. However, once in place, this type of device is virtually undetectable unless specifically looked for. 8.3.2.Types of keystroke loggers 1. Local Machine software Keyloggers are software programs that are designed to work on the target computer’s operating system. From a technical perspective there are four categories:
Hypervisor-based: The keylogger resides in a malware hypervisor running underneath the operating system, which remains untouched, except that it effectively becomes a virtual machine. See Blue Pill for a conceptual example.
Kernel based: This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications. They are frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized access to the hardware which makes them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
Hook based: Such keyloggers hook the keyboard with functions provided by the operating system. The operating system warns them any time a key is pressed and it records it.
Passive Methods: Here the coder uses operating system APIs like GetAsyncKeyState(), GetForegroundWindow(), etc. to poll the state of the keyboard or to subscribe to keyboard events. These are the easiest to write, but where constant polling of each key is required, they can cause a noticeable increase in CPU usage and can miss the occasional key. A more recent example simply polls the BIOS for preboot authentication PINs that have not been cleared from memory.
Form Grabber based logs web form submissions by recording the web browsing .on submit event functions. This records form data before it is passed over the internet and bypasses https encryption.
2. Remote Access software Keyloggers are local software keyloggers programmed with an added feature to transmit recorded data out of the target computer and make the data available to the monitor at a remote location. Remote communication is facilitated by one of four methods:
• • • •
Data is uploaded to a website or an ftp account. Data is periodically emailed to a pre-defined email address. Data is wirelessly transmitted by means of an attached hardware system. It allows the monitor to log into the local machine via the internet or Ethernet and access the logs stored on the target machine.
3. Hardware Keyloggers are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer. It logs all keyboard activity to its internal memory, which can subsequently be accessed, for example, by typing in a secret key. A hardware keylogger has an advantage over a software solution; because it is not dependent on the computer's operating system, it will not interfere with any program running on the target machine and hence cannot be detected by any software; however its physical presence may be detected. 4. Remote Access Hardware Keyloggers, otherwise known as Wireless Hardware Keyloggers, work in much the same way as regular hardware keyloggers, except they have the ability to be controlled and monitored remotely by means of a wireless communication standard. 5. Wireless Keylogger sniffers collect packets of data being transferred from a wireless keyboard and its receiver and then attempts to crack the encryption key being used to secure wireless communications between the two devices. 6. Acoustic Keyloggers work by analyzing a recording of the sound created by someone typing on a computer. Each character on the keyboard makes a subtly different acoustic signature when stroked. Using statistical methods, it is then possible to identify which keystroke signature relates to which keyboard character. This is done by analyzing the repetition frequency of similar acoustic keystroke signatures, the timings between different keyboard strokes and other context information such as the probable language in which the user is writing. A fairly long recording (1000 or more keystrokes) is required so that the statistics are meaningful. 7. Electromagnetic Radiation loggers work by passively capturing electromagnetic emissions of a keyboard, without being physically wired to it. 8.3.3.Keylogger prevention
Currently there is no easy way to prevent keylogging. In the future, it is believed that software with secure I/O will be protected from keyloggers. Until then, however, the best strategy is to use common sense and a combination of several methods. It is possible to use software to monitor the connectivity of the keyboard and log the absence as a countermeasure against physical keyloggers. For a PS/2 keyboard, the timeout bit (BIT6 at port 100) has to be monitored. But this only makes sense when the PC is (nearly) always on.
64-bit versions of Windows Vista and Server 2008 implement mandatory digital signing of kernel-mode device drivers, thereby restricting the installation of key-logging rootkits.
Monitoring what programs are running
A user should constantly observe what programs are installed and running on his or her machine.
Anti-spyware applications are able to detect many keyloggers and cleanse them. Responsible vendors of monitoring software support detection by anti-spyware programs, thus preventing abuse of the software.
Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission of the logged material over the net if properly configured.
Network monitors (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from "phoning home" with his or her typed information. 49
Automatic form filler programs
Automatic form-filling programs can prevent keylogging entirely by not using the keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. (Someone with access to browser internals and/or memory can often still get to this information; if SSL is not used, network sniffers and proxy tools can easily be used to obtain private information too.) It is important to generate passwords in a fashion that is invisible to keyloggers and screenshot utilities. Using a browser integrated form filler and password generator that does not just pop up a password on the screen is therefore key. Programs that do this can generate and fill passwords without ever using the keyboard or clipboard.
Alternative keyboard layouts
Most keylogging hardware/software assumes that a person is using the standard QWERTY keyboard layout, so by using a layout such as Dvorak, captured keystrokes are nonsense unless converted. For additional security, custom keyboard layouts can be created using tools like the Microsoft Keyboard Layout Creator.
One-time passwords (OTP)
Using one-time passwords is completely keylogger-safe because the recorded password is always invalidated right after it's used. This solution is useful if you are often using public computers where you can't verify what is running on them. One-time passwords also prevent replay attacks where an attacker uses the old information to impersonate. One example is online banking where one-time passwords are implemented and prevents the account from keylogging attacks as well as replay attacks.
Because of the integrated circuit of smart cards, they are not affected by keylogger and other logging attempts. A smart card can process the information and return back a unique challenge every time you login. The information cannot usually be used to login again.
o Program-to-program (non-web) keyboards
It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not always true. Most on screen keyboards (such as the onscreen keyboard that comes with Microsoft Windows XP) send keyboard event messages to the external target program to type text. Every software keylogger can log these typed characters sent from one program to another. Additionally, some programs also record or take snapshots of what is displayed on the screen (periodically, and/or upon each mouse click). However, there are some on-screen keyboard programs that do offer some protection, using other techniques described in this article (such as dragging and dropping the password from the on-screen keyboard to the target program).
o Web-based keyboards
Notably, the game MapleStory uses, in addition to a standard alphanumeric password, a 4-digit PIN code secured by both on-screen keyboard entry and a randomly changing button pattern; there is no real way to get the latter information without logging the screen and mouse movements; another MMORPG called RuneScape makes a similar system available for players to protect their in-game bank accounts.
Keylogger detection software is also available. Some of this type of software use "signatures" from a list of all known keyloggers. The PC's legitimate users can then periodically run a scan from this list, and the software looks for the items from the list on the hard-drive. One drawback of this approach is that it only protects from keyloggers on the signature-based list, with the PC remaining vulnerable to other keyloggers. Other detection software doesn't use a signature list, but instead analyzes the working methods of many modules in the PC, allowing it to block the work of many different types of keylogger. One drawback of this approach is that it can also block legitimate, non-keylogging software. Some heuristics-based anti-keyloggers have the option to unblock known good software, but this can cause difficulties for inexperienced users.
Similar to on-screen keyboards, speech-to-text conversion software can also be used against keyloggers, since there are no typing or mouse movements involved. The weakest point of using voice-recognition software may be how the software sends the recognized text to target software after the recognition took place.
Handwriting recognition and mouse gestures
Also, many PDAs and lately Tablet PCs can already convert pen (also called stylus) movements on their touchscreens to computer understandable text successfully. Mouse gestures utilize this principle by using mouse movements instead of a stylus. Mouse gesture programs convert these strokes to user-definable actions, among others typing
text. Similarly, graphics tablets and light pens can be used to input these gestures, however, these are getting used less commonly everyday. The same potential weakness of speech recognition applies to this technique as well.
With the help of many Freeware/Shareware programs, a seemingly meaningless text can be expanded to a meaningful text and most of the time context-sensitively, e.g. "we" can be expanded "en.Wikipedia.org" when a browser window has the focus. The biggest weakness of this technique is that these programs send their keystrokes directly to the target program. However, this can be overcome by using the 'alternating' technique described below, i.e. sending mouse clicks to non-responsive areas of the target program, sending meaningless keys, sending another mouse click to target area (e.g. password field) and switching back and forth.
Using many readily available utilities, the target window could be made temporarily transparent, in order to hinder screen-capturing by advanced keyloggers. Although not a fool-proof technique against keyloggers on its own, this could be used in combination with other techniques.
Some keyloggers can be fooled by alternating between typing the login credentials and typing characters somewhere else in the focus window. Similarly, a user can move their cursor using the mouse during typing, causing the logged keystrokes to be in the wrong order e.g. by typing a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter. Lastly, someone can also use context menus to remove, copy, cut and paste parts of the typed text without using the keyboard.
Another very similar technique utilizes the fact that any selected text portion is replaced by the next key typed. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd".
9. Virus Prevention Tools, Tips, and Tricks
Antivirus software is must-have protection. Keep it installed, enabled, and up-to-date at all times. But though antivirus software is critical, alone it's not enough to keep you protected. Follow sound security practices, install a firewall, and use other adjunct protection in combination with your own common sense.
9.1.1.Antivirus Antivirus software (or anti-virus) is computer software used to identify and remove computer viruses, as well as many other types of harmful computer software, collectively referred to as malware. While the first antivirus software was designed exclusively to combat computer viruses (hence "antivirus"), modern antivirus software can protect computer systems against a wide range of malware, including worms, phishing attacks, rootkits, and Trojans. Φ Identification methods There are several methods which antivirus software can use to identify malware. Depending on the software, more than one method may be used. Signature based detection is the most common method that antivirus software utilizes to identify malware. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus
signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces. Malicious activity detection is another way to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses. Heuristic-based detection is used by more advanced antivirus software. Like malicious activity detection, heuristics can be used to identify unknown viruses. This can be accomplished in one of two ways; file analysis and file emulation. File analysis is the process of searching a suspect file for viruslike instructions. For example, if a program has instructions to format the C drive, antivirus software might further investigate the file. One downside to this approach is that the computer may run slow if every file is analyzed. File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate actions. Signature based detection Signature based detection is the most common method that antivirus software uses to identify malware. This method is somewhat limited by the fact that it can only identify known viruses, unlike other methods. When antivirus software scans a file for viruses, it checks the contents of a file against a dictionary of virus signatures. A virus signature is the viral code. So, saying you found a virus signature in a file is the same as saying you found the virus itself. If a virus signature is found in a file, the antivirus software can take action to remove the virus. Antivirus software will usually perform one or more of the following actions; quarantining, repairing, or deleting. Quarantining a file will make it inaccessible, and is
usually the first action antivirus software will take if a malicious file is found. Encrypting the file is a good quarantining technique because it renders the file useless. Sometimes a user wants to save the content of an infected file (because viruses can sometimes embed themselves in files, called injection.) To do this, antivirus software will attempt to repair the file. To do this, the software will try to remove the viral code from the file. Unfortunately, some viruses might damage the file upon injection, which means repairing will fail. The third action antivirus software can take against a virus is deleting it. If a file repair operation files, usually the best thing to do is to just delete the file. Deleting the file is necessary if the entire file is a virus. Because new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company. There, the virus can be analyzed and the signature added to the dictionary. Signature-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to scan all files on the computer's hard disk at a set time and date. Although the signature based approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in
keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rests with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. Viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes. Suspicious behavior monitoring The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do. Unlike the signature based approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users may become desensitized to the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more non-malicious program designs came to modify other .exe files without regard to this false positive issue. In recent years, however, sophisticated behavior analysis has emerged, which analyzes processes and calls to the kernel in context before making a decision, which gives it a lower false positive rate than rules based behavior monitoring. Heuristics Some more sophisticated antivirus software uses heuristic analysis to identify new malware. Two methods are used; file analysis and file emulation. As described above, file analysis is the process by which antivirus software will analyze the instructions of a program. Based on the instructions, the software can determine
whether or not the program is malicious. For example, if the file contains instructions to delete important system files, the file might be flagged as a virus. While this method is useful for identifying new viruses and variants, it can trigger many false alarms. The second heuristic approach is file emulation. By this approach, the target file is run in a virtual system environment, separate from the real system environment. The antivirus software would then log what actions the file takes in the virtual environment. If the actions are found to be damaging, the file will be marked a virus. But again, this method can trigger false alarms. Issues of concern
Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection, the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).
Antivirus programs can in themselves pose a security risk as they often run at the 'System' level of privileges and may hook the kernel - Both of these are necessary for the software to effectively do its job but it has a major downside. This can mean exploitation of the Antivirus program itself could lead to privilege escalation and create a severe security threat. Arguably, use of Antivirus software when compared to Principle of least privilege is largely ineffective when ramifications of the added software are taken into account. When purchasing antivirus software, the agreement may include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription. Norton Antivirus also renews subscriptions automatically by default.
Some antivirus programs are actually spyware masquerading as antivirus software. It is best to double-check that the antivirus software which is being downloaded is actually a real antivirus program. Anti-virus manufacturers have been criticized for fear mongering by exaggerating the risk that virus pose to consumers. If an antivirus program is configured to immediately delete or quarantine infected files (or does this by default), false positives in essential files can render the operating system or some applications unusable.
3. System related issues
Running multiple antivirus programs concurrently can harm performance. It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Active antivirus protection may partially or completely prevent the installation of a major update. 9.1.2.Virus removal tools A virus removal tool is software for removing specific viruses from infected computers. Unlike complete antivirus scanners, they are usually not intended to detect and remove an extensive list of viruses; rather they are designed to remove specific viruses, usually more effectively than normal antivirus software. Examples of these tools include McAfee Stinger and the Microsoft Malicious Software Removal Tool (which is run automatically by Windows update). Many of these tools are available for free download. These tools can sometimes do a better job of removing a specific virus than conventional antivirus software. 9.1.3.Firewall A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set
of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria. A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. There are several types of firewall techniques: 1. Packets filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. 2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. 3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. 4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. Firewall Function A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules. A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with
no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ). A firewall's function within a network is similar to physical firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures. Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely. Firewall Generations First generation - packet filters The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture. Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number). TCP and UDP protocols comprise most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports. Second generation - "stateful" filters From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls. Second Generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules. This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks. Third generation - application layer Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work
on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA. TIS, under a broader DARPA contract, developed the Firewall Toolkit (FWTK), and made it freely available under license on October 1, 1993. The purposes for releasing the freely-available, not for commercial use, FWTK were: to demonstrate, via the software, documentation, and methods used, how a company with (at the time) 11 years' experience in formal security methods, and individuals with firewall experience, developed firewall software; to create a common base of very good firewall software for others to build on (so people did not have to continue to "roll their own" from scratch); and to "raise the bar" of firewall software being used. The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in any harmful way. Subsequent developments In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1. The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS). Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
Types of Firewall There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced. Network layer and packet filters Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems. Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing. Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached. Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They
can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes. Commonly used packet filters on various versions of UNIX are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), and iptables/ipchains (Linux). Application-layer Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and Trojans. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach. The XML firewall exemplifies a more recent kind of application-layer firewall. Proxies A proxy device (running either on dedicated hardware or as software on a generalpurpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets. Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers
may still employ methods such as IP spoofing to attempt to pass packets to a target network. Network address translation Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.
(RED) directly connected to un-trusted Internet (ORANGE) the DMZ zone for Internet Servers (GREEN) the internal protected LAN (BLUE) the internal protected Wireless LAN
9.2.Virus Prevention Tips & Tricks
Antivirus software is only one component of a good security posture. Understand risky behaviors and adopt good habits that will minimize your risk of infection. 9.2.1.Securing Outlook and Outlook Express Securing your mail client is just one of the steps necessary to help prevent email worms and viruses. If you have not already done so, visit the Email Help Center for tips on spotting malicious attachments and the do's and don'ts of email security. Also see Why Plain is better to understand the risks of HTML-rendered email. The steps below apply to Outlook versions 2002, 2003, and 2007 and Outlook Express v6.0 and above. If you use an older version, you may need to update your mail client in order to take advantage of these important security features. To configure Outlook Express to send and receive email in plain text only: 1. In Outlook Express, click Tools | Options 2. Select the Read tab and then select 'Read all messages in plain text' 3. Click the Send tab. Under 'Mail Sending Format' select "Plain text" 4. Click "Apply" then click "OK" to exit the menu. 67
To read messages in plain text in Microsoft Outlook 2003: 1. Open Outlook 2003 and click Tools | Options 2. Select Preferences | Email Options 3. Select "Read all standard mail in plain text" 4. Click OK to close the dialog box. Click OK again to close the menu. To read messages in plain text in Microsoft Outlook 2007: 1. Open Outlook 2007 and click Tools | Trust Center 2. Select E-mail Security 3. Select "Read all standard mail in plain text" 4. Click OK to accept the change and close the menu. Outlook 2002 email can also be read in plaintext, but require a registry edit in order to do so. Microsoft has a Knowledgebase article that describes the necessary steps. For details, see: Plain text email in Outlook 2002 To make Outlook/Outlook Express more secure:
Disable all ActiveX and Java in the Restricted Sites zone. Do this from Internet Explorer by selecting the following menu items: Tools | Internet Options | Security | Restricted Sites | Custom Level Note: Just setting the restrictions to High will not work. You must choose Custom Level and scroll through the list disabling all options for scripting of Java or ActiveX. If you are unable to follow this step, it may be a good idea to ask an experienced friend for assistance.
After making the necessary modifications to Restricted Zones, you will need to add Outlook or Outlook Express to this Zone.
Open Outlook Express or Outlook, Choose Tools | Options | Security Select the Restricted Zone.
Make sure you have all applicable critical patches and updates applied to your system. Visit the Windows Update site, choose Product Updates, and install any marked as "Critical". You should check for updates monthly. 9.2.2.Securing Internet Explorer Annoyed by pop-ups? Worried about "drive-by downloads" and spyware? Has your Internet Explorer start page been taken hostage by an unwelcome site? Relax. Internet Explorer has a built-in mechanism for controlling the Internet nastiest that threaten to ruin your browsing experience. Best of all, it's free - all that's required is a little bit of elbow grease. To begin, ensure you have the latest version of Internet Explorer and that all necessary patches and updates have been applied. To obtain the latest version and required updates, visit the Windows Update Center. To access the Security Zones, open Internet Explorer, choose Tools from the menu, select Internet Options, and click the Security tab. Security Zones Internet Explorer provides 4 distinct security zones, each of which can be configured independently to provide custom protection for safer and more pleasant Internet browsing.
Internet zone - The Internet zone is the default zone for all sites not listed in other zones. Local Intranet - Typically for local files or those coming from local networks.
Trusted Sites zone - Use the Trusted Sites zone for sites you visit frequently which require the ability to download files, play Flash animations, or employ active scripting.
9.2.3.Beware of Online Scams The Internet makes it easier to accomplish many things - banking, research, travel, and shopping are all at our virtual fingertips. And just as the Internet makes it easier for legitimate pursuits, it also makes it easier for scammers, con artists, and other online miscreants to carry out their virtual crimes - impacting our real life finances, security, and peace of mind. These Internet scams are constantly evolving - here are the most common today. Phishing scams Phishing email try to trick the intended victim into visiting a fraudulent website disguised to look like a valid E-Commerce or banking site. The victim thinks they are logging into their real account, but instead everything they enter on the fake site is being sent to the scammers. Armed with this information, the scammer can wipe out the victim's accounts, run up their credit cards, or even steal their identity. 9.2.4.Computer Safety Tips Achieving good computer security can seem like a daunting task. Fortunately, following the few simple steps outlined below can provide a good measure of security in very little time. Use antivirus software and keep it updated. You should check for new definition updates daily. Most antivirus software can be configured to do this automatically. Install security patches. Vulnerabilities in software are constantly being discovered and they don't discriminate by vendor or platform. It's not simply a matter of updating Windows; at least monthly, check for and apply updates for all software you use. 70
9.2.5.Protecting the HOSTS file 71
The HOSTS file is the virtual equivalent of the phone company's directory assistance. Where directory assistance matches a person's name to a phone number, the HOSTS file maps domain names to IP addresses. Entries in the HOSTS file override DNS entries maintained by the ISP. By default 'localhost' (i.e. the local computer) is mapped to 127.0.0.1, known as the loopback address. Any other entries pointing to this 127.0.0.1 loopback address will result in a 'page not found' error. Conversely, entries can cause a domain address to be redirected to a completely different site, by pointing to an IP address that belongs to a different domain. For example, if an entry for google.com pointed to an IP address belonging to yahoo.com, any attempt to access www.google.com would result in a redirect to www.yahoo.com. Malware authors are increasingly using the HOSTS file to block access to antivirus and security websites. Adware may also impact the HOSTS file, redirecting access to gain affiliate page view credit or to point to a booby-trapped website that downloads further hostile code. Fortunately, there are steps you can take to prevent unwanted modifications to the HOSTS file. Spybot Search & Destroy includes several free utilities that will not only block changes to the HOSTS file, but can protect the Registry from unauthorized changes, enumerate startup items for quick analysis, and block known bad or alert on unknown ActiveX controls. 9.2.6.Tips for IM safety Instant Messenger worms are becoming increasingly more sophisticated - and more prevalent. To avoid infection, treat IM as suspiciously as you should be treating email. These tips will help you avoid infection: Don't be click-happy Don't click any link received in IM unless you've first confirmed that the sender intended it. This includes links contained in 'away' messages - these 'away' messages are often frequent targets of IM worms.
Beware IMs bearing attachments Don't open any attachment received unexpectedly - verify that the sender intended it. Make sure you enable file extension viewing so you're not fooled by the infamous double-extension ruse. Before opening any attachment, scan it first using up-to-date antivirus software. (The Kaspersky online scanner is superb for quickly checking single files less than 1MB). More is *not* merrier Keep the number of IM clients to a minimum. IM worms target specific clients, though multiple clients might be targeted. For example, the 2002 FloodNet IM worm sent its infectious message to both AIM and MSN Instant Messenger users. Thus, the more IM clients used or supported, the more likely you are to be victimized by an IM worm. What to do if infection strikes If you do get hit by an IM worm, remember that all of your contacts are now vulnerable. To avoid sending the infection to others, disconnect from the Internet until you are able to completely remove the infection. If you need Internet access to obtain antivirus software or updates, ask a friend to use their computer and burn the files to CD. If this is not an option, uninstall the IM client until after you've properly cleaned the infection. Of course, always keeping your antivirus software up-to-date will avoid this last minute scramble for protection. 9.2.7.Read E-Mail in Plain Text Only Colored fonts, embedded images, and stylized text are just a few of the reasons that HTML-rendered email has become popular with many folks. Sure, it makes email attractive and - in some cases - easier to read. But there are drawbacks to the glitz and glamour of HTML-rendered email. From a security standpoint, plain text email is better. Reading email in plain text offers important security benefits that more than offset the loss of pretty colored fonts.
Squash the bugs HTML-rendered email can be virtually wiretapped through the use of invisible images, specially formed links, and other techniques that allow email to be tracked. For example, unique serial numbers are often assigned to invisible images stored on a remote server. Each time the email is read, those images are accessed, providing a record of whether the email was opened. Commercial companies peddle software to track email, providing a means for the sender to know whether an email was read, when it was read, and even follow its tracks if it is forwarded to others. Spammers use web bugs to determine whether an email address is valid, or whether the recipient has a tendency to open spam setting those users up for even more unwanted email in the future. Plain text email does not support embedded images. Plain text email squashes web bugs. A not so helpful hand Active content can be used in HTML-rendered email that causes email attachments to open automatically, or files to be downloaded to the system. In order to bypass content filters that prohibited EXE files in email, the Winevar virus contained active content in its email that first modified the System Registry to specify .CEO files as executable, and then automatically opened the attached - and infected - .CEO file it had smuggled past the scanners. Plain text email does not support active content. Plain text email prevents email attachments from opening automatically. A spammer’s delight HTML-rendered email allows miscreant marketers and criminals to obfuscate the links, making them appear to point to somewhere else other than the user expected. These techniques are common in phishing scams, which often use scare tactics to entice a user to click a link allegedly leading to their bank or a well-known E-Commerce site. Instead, the link takes the user to a website controlled by the scammer. It may look and feel like the website the user expected, but it's not. And behind the scenes, their login details and personal financial information are quietly being recorded for the criminal's later use.
Plain text email provides a true WYSIWYG (What You See Is What You Get) experience. In plain text email, there are no hidden commands - the link displayed is the actual link. 9.2.8.Patch All the Software You Use The Bottom Line Chances are, there are dozens of security vulnerabilities waiting to be exploited on your system. And it's not just broken Windows you need to be concerned with. Adobe Flash, Acrobat Reader, Apple QuickTime, Sun Java and a bevy of other third-party apps may host security vulnerabilities waiting to be exploited. Secunia Software Inspector can make the discovery process a bit easier by providing a free online scanner to alert you to vulnerable software. Pros
• • • • •
Scans for wide range of software vulnerabilities Provides step-by-step instructions for applying patches Intuitive interface is easy to use Links to detailed information for research Simplifies the patching process
Provides version numbers of detected software and the version number needed, if applicable. Step-by-step instructions and links make getting patched a nearly pain-free process Easy, fast, intuitive to use, and free.
Guide Review - Secunia Software Inspector In a perfect world, we would never have to patch our systems. But it's not a perfect world, and security vulnerabilities affect a wide range of products. Not all these thirdparty add-ons provide automatic updates, and even those that do may not deliver the right update for the problem. And changes to the Microsoft update site make securing Windows a bit more difficult than it used to be. Secunia Software Inspector provides a free online scan that provides a patch status for all supported applications on your system. It's a pretty long list of supported apps as well, including various versions of Adobe Reader, Flash, Firefox, QuickTime, AIM, iTunes, MSN Messenger, Windows, Thunderbird, Opera, RealPlayer, Skype, WinAmp, Yahoo Messenger, WinZip and ZoneAlarm. Just click Start, let the scan run, and within moments Secunia Software Inspector provides a complete report of all that's wrong - or even right - with your system. A green checkmark beside a product name means that product is up-to-date. A red X means the product needs updating. And Secunia makes it doubly easy to update - providing links to the updates, step-by-step instructions, and details about the vulnerability. Secunia Software Inspector is free, fast, and so intuitive to use there's simply no excuse for not keeping patches up to date.
References: http://www.virusportal.com/com/training/train_dat3.shtml http://www.virusportal.com/com/training/train_dat2.shtml http://www.virusportal.com/com/training/train_dat1.shtml http://antivirus.about.com/od/securitytips/u/virusprevention.htm#s2 http://www.computerhope.com/vlist.htm http://computer.howstuffworks.com/virus6.htm http://www.virus-scan-software.com/virus-scan-help/answers/the-history-of-computerviruses.shtml http://www.zbshareware.com/threats/types_threats.html http://en.wikipedia.org/wiki/Antivirus_software http://en.wikipedia.org/wiki/Computer_viruses#Operating_system_reinstallation The Little Black Book of Computer Viruses [Book] The Giant Black Book of Computer Viruses [Book] The Art Of Computer Virus Research And Defense [Book] An Introduction to Computer Viruses [Book] Computer Viruses For Dummies [Book]
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.