Ok let’s start by some definitions, all you need is to read carefully and feel free to contact me for any assistant, last days I have received a lot of inquiries concerning Viruses, Worms, and Bacteria, etc so I noticed that many people have confused about some terms, Let’s See
Viruses
A computer virus is a computer program or Script that can copy itself and contaminate a computer devoid of permission or knowledge of the user. The name "virus" is also commonly used to refer to many different types of malware and adware programs. The original virus may modify the copies, or the copies may modify themselves. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Meanwhile viruses can spread to other computers by infecting files on a network shared file system.
Recent viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread.
Virus Phases:
Virus Phases can be grouped into four categories as listed below:
Dormant Phase:The Virus is idle.
Propagation Phase:The Virus places an identical copy of itself into other programs.
Triggering Phase:The Virus is activated to perform the function for which it was intended.
Execution Phase:The function is performed.
Types of Viruses:
Parasitic Viruses
A parasitic virus attaches itself to a file in order to propagate. It generally keeps most of the file intact and either adds itself to the start or end of the file, COM and EXE files are easiest to infect, as they are simply loaded directly into memory and execution always starts at the first instruction.
Memory resident Viruses
A virus that stays in memory after it executes and after its host program is terminated. In contrast, non-memory-resident viruses only are activated when an infected application runs.
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.
Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can uses the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions, they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs.
Boot Sector Viruses
A boot sector virus is a computer virus which infects the boot sector on hard disks, floppy disks, and theoretically also other bootable media such as CD's and DVD's.
A boot sector virus infects or substitutes its own code for either the DOS boot sector or the Master Boot Record (MBR). The MBR is small program that runs every time the computer starts up. It controls the boot sequence and determines which partition the computer boots from. The MBR generally resides on the first sector of the hard disk.
Since the MBR executes every time a computer is started, a boot sector virus is extremely dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory the boot virus can spread to every disk that the system reads.
Some CMOS setups can be configured to prevent writing to the boot sector of the hard drive. This may be of some use against boot sector viruses. However, if you need to reinstall or upgrade the operating system, you will have to change the setting back to make the MBR writable again.
Stealth Viruses
A stealth virus is a file virus that uses special techniques to hide its presence from users and virus scanners. This is achieved by intercepting the read request to the file and returning the content of the original read request to the uninfected file. Once the computer has been infected, the virus can make modifications to allow the computer to appear that it has not lost any memory and/or that the file size has not changed.
When an antivirus program tries to detect the virus, the stealth virus feeds the antivirus program a clean image of the file or boot sector.
Polymorphic Viruses
It’s a Virus that changes its signature every time by replicates and infects a new file in order to trick the antivirus program. But what is the Virus signature? The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses. Also it could refer to an algorithm or hash that uniquely identifies a specific virus. It may be a static hash that calculated numerical value of a snippet of code unique to the virus. Also, the algorithm may be behavior-based Anti-virus software uses the virus signature to scan for the presence of malicious code.
Bacteria
Bacteria are programs that do not explicitly damage any files. Their only purpose is to replicate themselves. Bacteria reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space.
Worms
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Many worms come in the form of email file attachments, or as hidden additions to actual email messages, which trigger the execution of infectious code, In addition to email, worms can also infect computers via web sites, file sharing systems, instant messages, and more. Therefore, any computer connected to the Internet runs the risk of being infected with a malicious worm.
Once installed on a computer, worms spontaneously generate additional email messages containing copies of the worm. They may also open TCP ports to create networks security holes for other applications.
Trojan horse
The phrase is derived from the classical story of the Trojan horse. In computer security a Trojan is a program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful function. Trojan horse programs can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan horse program that, when executed, changed the invoking user's file permission so that the files are readable by any user.
Trojan horse is almost designed to cause harm, but it can also be harmless. They are classified based on how they violate and damage systems. The six main areas where Trojan horse are often used:
· Remote Access
Data Destruction
· Downloader
· Servers (Proxy, FTP, IRC, Email, HTTP/HTTPS, etc.)
· Security settings disabler
· Denial-of-service attack (DoS)
Logic Bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting some important files.
Some use for a logic bomb is to ensure payment for software. If payment is not made by a certain date, the logic bomb activates and the software automatically deletes itself. A more malicious form of that logic bomb would also delete other data on the system.
Trap Door
Undocumented entry point written into code for debugging that can allow unwanted user to access the system.
Trap Door can be a hardware or software-based and it’s always hidden acting as entrance to a computer system that can be used to bypass the system's security policies.
Dear reader now it’s the time to learn how to simply distinguish between mentioned malicious programs, some one may ask why I need to distinguish among such programs. OK, in order to protect your system you need to know first you are protecting against what. Because each malicious program has its own technique in order to defend.
Let’s be more practical and learn how malicious programs can affect our files, we will mainly talk about Windows operating system.
The Windows operating system recognizes file types and associates them with programs based on their file extension. That means Windows might recognize filename.htm as being associated with Internet Explorer. Thus, when a user opens filename with htm extension, Windows will first open Internet Explorer that will handle opening the file. When Windows is first installed, certain file type associations are automatically assigned, as example the default handler for .TXT files is the Notepad program.
When new programs are installed to the system, they will often add new file types associated with that program or even change previous file type associations to be handled by the new program. Consider Windows Media Player (WMP) is the default handler for .MP3 files, if similar program is installed, it will prompt during the installation to change the default handler from WMP to that new similar one (Since both applications has the ability to open same data files). And If allowed, this will cause an MP3 files (or any others it may have re-registered) to be opened by new installed program in the future, instead of WMP.
Viruses can do exploit files and their associations moreover Virus can change some extension or redirect them to another hidden program. It is important that file extension viewing is enabled and that you are aware of which extensions are associated with which programs. Before proceeding further, ensure file extension viewing is enabled on your system.
Most of common malicious codes contaminates are done through compiling some scripts. When you have .vbs extension file (these files written using VBScript and it is a scripting language) it’s executed by wscript.exe as its associated program.
The main purpose of this program is to enable developers to construct their own instruction using notepad or any free editor to write the code and save it with .vbs extension (or any other script formats), when you click on such file some function or functions are performed through its associated program mainly the Windows based script host (wscript.exe) to do specific task, if the code was written by a Hacker or Cracker then this task may harm your computer.
The question is do we really need the wscript.exe? Ok, this depends on many items like whether you are using individual computer or not? What if you or the one who may share the computer with you are interesting in code development? Number of useful programs that have been installed to your system and they require to use or to access some script files.
If you are confused about your answer or you are not sure don’t worry we will show you a easy way to get a ride of unwanted script debugging without the need to remove the wscript.exe, simply we are going to change the association of the script file that have the .vbs extension to be established using non related program example Notepad.
Let’s start step by step, first on your Windows explorer select Tools,
Second from the tools menu select Folder Options, and then click on the tab File Types and navigate till you find your desired extension, here we need to mention that its totally danger to randomly change the file association for any extension unless you know what you are doing otherwise you will case a serious problem for your Operating system and it may totally be damaged. So please try to be careful while choosing your file extension.
Third, press on button Change, and from Open With window choose Notepad .
Make sure that the option always use the selected program to open this kind of file, is ticked then press Ok, and Close.
By this point you should know how to disable the ability of Windows from executing some scripts data file based on their extensions. without deleting the program wscript.exe, To re-enable the script debugging for some extension do the same procedure and select wscript instead of notepad or simply press on reset button.
Beside scripts debugging some large packages are often include their own built-in programming languages. In such case malicious code could be written as macros. Before going further let’s agree on that, macro is an instruction that carries out a list of program commands automatically. Some applications (Example: Word Processing, spreadsheets, presentation slides and more some.) allow macro programs to be embedded in documents, so that the macros may be executed automatically when the document is opened, this provides a suitable way by which malicious program’s can be spread.
When accessing a document with embedded macro code’s a copy of that macro resides on the computer and then any document on same computer that uses the same application can become infected. If a copy of an infected file is passed to anyone else through email or any removable media the malicious program can spread to the recipient's computer. This process of infection will end only when the malicious program is detected and disabled or removed. But the main difficulty is that many popular modern applications allow macros, also macro codes can be written with very little specialist knowledge. You can create your own trusted certificate (Certificate is a unique ID same as fingerprints) to enable digital authority for macros debugging and this certificate should be assigned to specific document, as example Microsoft Office supports such kind of certificates and all you need to do is to Run Selfcert.exe from My Computer or Windows Explorer (you can find it in Microsoft Office tools under the name Digital certificates for VBA projects). Then in the Your name box, type the name you want to associated with this certificate, and then click OK, Selfcert.exe will create and install a self-signed certificate that you can use to sign VBA projects on the current computer. More setting is required to make the system trust your certificate and this can be done using certmgr.msc. To open this program from Start menu choose run and type certmgr.msc. Then move your certificate from personal to trusted certification folder.
Don’t forget to associate your new certificate with your existing documents; this can be obtained by pressing keys alt+f11 to open the VB editor for the document then choose from the bar Tools, from Tools menu select Digital Signature, from the new opened window select your certificate note that one certificate can be assigned for many documents.
Malicious Code Execution Prevention
Another technique you can use in order to prevent malicious programs as of been executed from the memory is to use that well known security feature the Data Execution Prevention (DEP). DEP can be defined as a set of hardware and software technologies that perform additional checks on memory to avert malicious code from running on a system and it’s available in Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005 and Windows Vista (also its included in Windows server 2003, 2008 but this Article i will cover just the OS for personal computers), these technologies can be enabled for both hardware and software. However you need to be aware about the compatibility of your processor (some processors does not support the DEP) in case of hardware enforced DEP or the compatibility of your applications and services in case of software enforced DEP.
Hardware-enforced DEP
Hardware-enforced DEP flags all memory locations in a process as non-executable except if the location trustily contains executable code. When a malicious program tries to insert and run code from non-executable memory locations Then DEP will act to prevent these attacks by intercepting them immediately.
Software-enforced DEP
With software enforced Data Execution Prevention, security checks will be enabled in order to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment