Introduction
Malware are programs or parts of programs that have a malicious ( Mal ) or unpleasant
effect on your computer security. This covers many different terms that you may have heard
before, such as Virus, Worm and Trojan and possibly a few that you haven't like
Rootkit, Logicbomb and Spyware. This lesson will introduce, define and explain each of
these subdivisions of malware, will give you examples, and will explain some of the
countermeasures that can be put into place to restrict the problems caused by malware.
effect on your computer security. This covers many different terms that you may have heard
before, such as Virus, Worm and Trojan and possibly a few that you haven't like
Rootkit, Logicbomb and Spyware. This lesson will introduce, define and explain each of
these subdivisions of malware, will give you examples, and will explain some of the
countermeasures that can be put into place to restrict the problems caused by malware.
Viruses
Viruses or virii are self-replicating pieces of software that attach
themselves to another program, or, in the case of 'macro viruses', to another file. The virus is
only run when the program or the file is run or opened. It is this which differentiates viruses from
worms. If the program or file is not accessed in any way, then the virus will not run and will not
copy itself further. There are a number of types of viruses, although, significantly, the most common form today is
the macro virus, and others, such as the boot sector virus are now only found 'in captivity'.
- Boot Sector Viruses -
The boot sector virus was the first type of virus created. It hides itself in the executable
code at the beginning of bootable disks. This meant that in order to infect a machine, you
needed to boot from an infected floppy disk. A long time ago, ( 15 years or so ) booting
from floppy was a relatively regular occurrence, meaning that such viruses were actually
quite well spread by the time that people figured out what was happening. This virus ( and
all other types ) should leave a signature which subsequent infection attempts detect, so
as not to repeatedly infect the same target. It is this signature that allows other software
( such as Anti-Virus-software ) to detect the infection.
- The Executable File Virus -
The Executable File virus attaches itself to files, such as .exe or .com files. Some viruses
would specifically look for programs which were a part of the operating system, and thus
were most likely to be run each time the computer was turned on, increasing their
chances of successful propagation. There were a few ways of adding a virus to an
executable file, some of which worked better than others. The simplest way ( and the least
subtle ) was to overwrite the first part of the executable file with the virus code. This meant
that the virus executed, but that the program would subsequently crash, leaving it quite
obvious that there was an infection – especially if the file was an important system file.
- The Terminate and Stay Resident (TSR) Virus -
TSR is a term from DOS where an application would load itself into memory, and then
remain there in the background, allowing the computer to run as normal in the
foreground. The more complex of these viruses would intercept system calls that would
expose them and return false results - others would attach themselves to the 'dir'
command, and then infect every application in the directory that was listed – a few even
stopped ( or deleted ) Anti-Virus software installed onto the systems.
- The Polymorphic Virus -
Early viruses were easy enough to detect. They had a certain signature to identify them,
either within themselves as a method to prevent re-infection, or simply that they had a
specific structure which it was possible to detect. Then along came the polymorphic virus.
Poly – meaning multiple and morphic – meaning shape. These viruses change themselves
each time they replicate, rearranging their code, changing encryption and generally
making themselves look totally different. This created a huge problem, as instantly there
were much smaller signatures that remained the same – some of the “better” viruses were
reduced to a detection signature of a few bytes. The problem was increased with the
release of a number of polymorphic kits into the virus writing community which allowed
any virus to be recreated as a polymorph.
- The Macro Virus -
The Macro Virus makes use of the built-in ability of a number of programs to execute
code. Programs such as Word and Excel have limited, but very powerful, versions of the
Visual Basic programming language. This allows for the automation of repetitive tasks, and
the automatic configuration of specific settings. These macro languages are misused to
attach viral code to documents which will automatically copy itself on to other
documents, and propagate. Although Microsoft has turned off the feature by default now
on new installations, it used to be that Outlook would automatically execute certain code
attached to e-mails as soon as they were read. This meant that viruses were propagating
very quickly by sending themselves to all of the e-mail addresses that were stored on the
infected machine.
Worms
A worm is a program that, after it has been started, replicates without any need for
human intervention. It will propagate from host to host, taking advantage of an
unprotected service or services. It will traverse a network without the need for a user to
send an infected file or e-mail. Most of the large incidents in the press recently have been
worms rather than viruses.
Trojans and Spyware
Trojans are pieces of malware which masquerade as something either useful or
desirable in order to get you to run them. At this point they may well do something unpleasant
to your computer such as install a backdoor or rootkit, or - even worse - dial a
premium rate phone number that will cost you money.
Spyware is software that installs itself surreptitiously, often from websites that you might
visit. Once it is installed it will look for information that it considers valuable. This may be usage
statistics regarding your web surfing, or it might be your credit card number. Some pieces of
spyware blow their cover by rather irritatingly popping up advertisements all over your
desktop.
Rootkits and Backdoors
Rootkits and backdoors are pieces of malware that create methods to retain access
to a machine. They could range from the simple ( a program listening on a port ) to the very
complex ( programs which will hide processes in memory, modify log files, and listen to a
port ). Often a backdoor will be as simple as creating an additional user in a password file
which has super-user privileges, in the hope that it will be overlooked. This is because a
backdoor is designed to bypass the system's normal authentication. Both the Sobig and
MyDoom viruses install back doors as part of their payload.
Logicbombs and Timebombs
Logicbombs and Timebombs are programs which have no replication ability and no
ability to create an access method, but are applications or parts of applications that will
cause damage to data should they become active. They can be stand-alone, or part of
worms or viruses. Timebombs are programmed to release their payload at a certain time.
Logicbombs are programmed to release their payload when a certain event occurs.
The idea behind timebombs, however, is also a useful one. Timebomb programming is
used to allow you to download and try a program for a period of time – usually 30 days. At
the end of the trial period, the program ceases to function, unless a registration code is
provided. This is an example of non-malicious timebomb programming.
Conclusion
The information in this thread was received through an E-book I have had on my computer for a while. The E-book is called 'Hacker High school'. If you would like to see what the rest of the E-book has to offer, than feel free to download it below. If you liked this tutorial on malware, than please feel free to let me know below. All comments are appreciated, and I thank you for taking the time to read this!
Link to the E-Book
No comments:
Post a Comment