What is the major malware of malware to review the characteristics of malware, malware, malware, "load" malware triggering mechanism, malware, malware, what is malware? This guide uses the term "malware" as a Collection nouns, to refer to viruses, worms, and Trojan horses deliberately perform malicious tasks on a computer system. So, what is the exact meaning of a computer virus or worm? What are the differences between them and Trojan horses? Anti-virus application is only effective for worms and Trojan horses, or is it effective for viruses? All of these issues originate from the world of malicious code that is often missed. There are a wide variety of existing malicious code, so it is difficult to provide an accurate definition for each malicious code category. For general antivirus discussions, the following simple malware category is defined: • Trojan horse. The program looks useful or harmless, but it contains hidden code designed to use or damage the system that runs the program. The Trojm Horse program is usually passed to the user by email that does not correctly illustrate the use and function of this program. It is also known as Troj code. Trojan horse delivers this by the macro load or task at its runtime. • Worm. The worm uses the malicious code that is self-propagated, which can automatically distribute itself from one computer to another from a computer. Worms perform harmful operations, such as consumption networks or local system resources, which may result in denial of service attacks. Some worms can be executed and propagated without user intervention, while other worms are required to perform worm code directly to propagate. In addition to replication, worms may also pass the load. • The clear intent of the viral virus code is copy itself. The virus attempts to attach it itself to the host program to propagate between the computer. It may impair hardware, software or data. When the host program is executed, the virus code is running and will infect new hosts, sometimes passing additional load. For the purpose of this guide, the load is a collection term that means that the malware attack is performed on the infected computer. The above definitions of various malware categories make it possible to illustrate the differences between these categories through a simple flowchart. The figure below illustrates elements that can be used to determine if the program or script belongs to these categories:
Figure 2.1 malicious code decision tree
With this illustration, each common malicious code category for this guide can be distinguished. However, understanding the code introduced by a single attack may be very important for one or more categories. These types of attacks (called mixed threats, including multiple malware types that use multiple attack methods) will propagate at very fast speed. The attack method is that malware can be used to initiate an attack. For these reasons, the mixed threat is particularly difficult to deal with. Back to top The main malware Summary The following sections make more detailed explanations for each malware category to help some of the main elements of each category. Troima Trojan horses are not considered a computer virus or worm because it does not spread itself. However, viruses or worms can be used to copy a part of Troima as a part of the attack load to the target system, which is called "send". The Trojan horse is usually intended to interrupt the user's work or the normal operation of the system. For example, Trojm Horse may provide a back door in the system, allowing hackers to steal data or change configuration settings. When referring to Trojan Horse or Troy type, there are two frequently used terms, their identification methods and explanations are as follows: • Remote access Troy. Some Trojanas have enable hackers or data steadies to remotely control the system. Such programs are called "remote access Troy" (RAT) or lattime. Examples of RAT include BACK Orific, Cafene and Subseven. For detailed descriptions of this Trojan horse, see the article "Danger: Remote Access Trojans" on the Microsoft TechNet website, URL is http://www.microsoft.com/technet/security/topics/virus/virusrat.mspx ). • rootkit. Rootkit is a software assembly, hackers can be used to get unauthorized remote access and launch other attacks. These programs may use many different technologies, including monitoring keystrokes, changing system log files, or existing system applications, create the back door in the system, and initiating other computers on the network. Rootkit is usually organized into a set of tools, which are detained to specifically for specific operating systems. The first batch of rootkit was identified in the 1990s, the Sun and Linux operating systems were their main attack objects at that time. Currently, rootkit can be used in many operating systems, including Microsoft? Windows® platforms. Note: Please note that RAT and some tools containing rootkit have legitimate remote control and monitoring. However, the security and confidentiality issues introduced by these tools bring overall risk to the environment that uses them. If the worm is replicated, it is not a Trojan horse, so the next question to be involved in order to more accurately define the malware, can the code are copied without carriers? " Can you copy without infection with an executable file? If the answer to this question is "Yes", this code is considered a certain type of worm. Most worms are trying to copy themselves on the host computer, then use this computer's communication channel to copy. For example, SASSER Worm Dependent Service Safety Vulnerabilities initially infects a system, then use the network connection of the infected system to try to copy. If the latest security updates have been installed (to stop infection), or enable the firewall in the environment to prevent the network port used by the worm (stop replication), the attack will fail.
If the virus is copied if the malicious code adds its own copy to the file, document, or disk drive start sector to copy, it is considered to be a virus. This copy can be a direct copy of the original virus or a modified version of the original virus. For more information, see the "Protective Mechanism" section later in this chapter. As mentioned earlier, viruses typically place them on a local computer, then perform one or more malicious operations (eg, delete user data). However, only replication and does not have loaded viruses are still malware problems, as the virus itself may damage the data, consume system resources, and occupy network bandwidth. Back to top Characteristics of malware Each type of malware can be expressed in various features. For example, viruses and worms may use the network as a transmission mechanism. However, the virus will look for documents for infection, and the worm only try to copy itself. The following sections illustrate the typical characteristics of malware. When the target environmental malware is attempting to attack the host system, many specific components may be needed to attack. Below is a typical example, indicating that the Malware needed to attack the host system: • Device. Some malware will use a dedicated attack target, such as a personal computer, Apple Macintosh computer, and even a personal digital assistant (PDA), but please note that PDA malware is currently very rare. • operating system. Malware may require a special operating system to be effective. For example, the CIH or Chernobyl virus that appeared in the late 1990s only attacks the computer running Microsoft Windows? 95 or Windows? 98. • application. Malware may need to install specific applications on the target computer to pass the load or copy. For example, the 2002 LFM.926 virus appears only at the ShockWave Flash (.swf) file can be attacked when executed on the local computer. Carrier object If the malware is a virus, it will try to use the carrier object as an attack object (also known as a host) and infect it. The number and type of target carrier objects are different with malware, and the following list provides examples of the most common target carriers: • Executable files. This is a "typical" viral type target object that is replicated by attaching itself to the host program. In addition to the typical executable of the .exe extension, files with the following extensions can also be used as this use: .com, .sys, .dll, .ovl, .ocx, and .prg. • Script. Use scripts as an attack of carrier target files that use scripting languages such as Microsoft Visual Basic? Script, JavaScript, AppleScript, or Perl Script. The extensions of such files include: .vbs, .js, .wsh and .prl. • Macro. These carriers are files that support a macro scripting language that support specific applications (for example, word processors, spreadsheets, or database applications). For example, viruses can generate a number of effects in Microsoft Word and Lotus Ami Pro to generate a number of effects from the prank effect (changing the words or changes in the document) to malicious effects (format the hard drive's hard drive). • Start the sector. A particular area on a computer disk (hard disk and canable removable media) (for example, the main start recording (MBR) or DOS startup record) can also be considered carriers because they can perform malicious code.
When a disk is infected, if the disk is used to activate other computer systems, the virus will be replicated. Note: If the virus simultaneously uses the file and the start sector as the infection target, it can be called "multiple" viruses. Back to top Transport mechanism attacks can use one or more different methods, attempt and replicate between computer systems; this section provides information related to several comparisons commonly used in malware. • Removable media. Computer viruses and other malware initial, and may also be the most productive transmitter (at least to current) is file transfer. This mechanism begins in a floppy disk, then moves to the network, is currently looking for new media, such as a general serial bus (USB) device and a fire line. Infection speed is not as fast as the network-based malware, but the security threat has always existed, but it is difficult to completely eliminate because the system needs to exchange data. • Once the Network Sharing provides a mechanism directly connected to each other through the network, it will provide another transport mechanism for malware writers, and this mechanism has the potential to exceed the ability to move media, so that malicious code can be propagated. . Since the security level implemented on the network is very low, it will produce such an environment, where malware can be copied to a large number of networks connected to the network. This is largely replaced manual method using removable media. • Network scanning. Writers of malware use this mechanism to scan the network to find the computer that is easy to invader, or attack the IP address at will. For example, this mechanism can use a specific network port to send a data packet to a number of IP addresses to find an easy intrusion computer to attack. • Peer (P2P) network. To implement P2P file transfer, the user must first install the client component of the P2P application, which will use a network port that can be organized through the organizational firewall, for example, port 80. The application uses this port through the firewall and directly transmits the file from one computer to another. These applications are easy to get on the Internet, and malware writers can directly use their transport mechanisms to propagate infected files to the client hard drive. • Email. Email has become a transmission mechanism selected by many malware attacks. Email can be easily transferred to hundreds of thousands, and malware is not necessarily left to have a computer, which makes emails a very effective way of transport. Use this way to kid users to open an email attachment to be relatively easy (using social engineering technology). Thus, many of the most produced malware errors have used emails as their transmission mechanism. There are two malware using email as a basic type of transmission mechanism: • Mail program. This type of malware uses the mail software installed on the host (for example, Microsoft Outlook? Express), or uses its own built-in simple mail transfer protocol (SMTP) engine, sending itself as a mail to a limited number email. address. • A large number of mail programs. This type of malware uses the mail software installed on the host or its own built-in SMTP engine, and searches for email addresses on the infected computer, and then transmits themselves as a large number of messages to these addresses. • Remote utilization. Malware may try to use a particular security vulnerability in a service or application to copy. This behavior can usually see it in the worm; for example, the SLammer worm uses the vulnerability in Microsoft SQL Server® 2000. This worm generates a buffer overflow that allows some system memory to be overwritten in the same secure context as the SQL Server service. The occurrence of the buffer overflows because the information added to the buffer is more than it can store the amount of information. An attacker may take advantage of this vulnerability to occupy the system.
Microsoft identifies and fixes this vulnerability before the SLammer released, but this worm is propagated because there are a few systems that have not been updated. Back to top "Load" of malware Once the malware arrives at the host computer, it usually performs a number of operations called "load", and the load can be used in many forms. Some common load types identified in this section include: • Back door. This type of load allows the computer to perform unauthorized access. It may provide full access, but may also be limited to certain access rights, for example, enable File Transfer Protocol (FTP) accesses via port 21 on your computer. If the attack can enable Telnet, hackers can use the infected computer as a Telnet attack on the temporary area on other computers. As mentioned earlier, the back door is sometimes referred to as "remote access Troy". • Data damage or delete. One most destructive load type should be damaged or deleted malicious code, which enables information on the user's computer to be useless. This malware writer has two options: The first option is to design the load as fast. Although it is very potentially destructive for the computer it infected, the design of this malware can cause it to be discovered soon, thereby reducing the possibility of its replication operation is not discovered. Another option is to retain the load on the local system (in the form of Trojan horse) (information on the examples of the example, see the "Trigger Mechanism" section behind this chapter), which will make malware before attempting to pass the load Communicate to make users alert to its presence. • Information stealing. A particularly worrying malware load type is a load aimed at stealing information. If the load will damage the security of the host computer, it may provide a mechanism to pass the information back to malware. This situation can occur in a variety of forms; for example, the transmission can be performed, so that the malware can easily acquire local file or information, for example, the user pressed by the user (in order to acquire the username and password). Another mechanism is to provide an environment on local hosts that allow attackers to remotely control the host, or directly acquire access to the file on the system. • Deny Service (DOS). One of the simplest load types that can be passed is a denial of service attack. The DOS attack is a computerized attack initiated by an attacker, which makes a network service overload or stop network services such as a web server or file server. The sole purpose of the DOS attack is to make specific services are not available for a while. • Distributed Denial Service (DDoS). This type of attack generally uses infected clients, and these clients usually do not know their roles in such attacks. DDoS attack is a denial of service attack, where an attacker uses malicious code installed on a variety of computers to attack a single goal. The impact of attackers to use this method is likely to be greater than the impact of using a single attack computer. The semantics of the attack occurring are different depending on the attack, but they usually involve sending a large number of data to a specific host or website to stop the response to legally communicating (or unable to respond). This will completely occupy the available bandwidth of the victim site, and will effectively remove this site offline. This type of attack is extremely difficult to protect, because the host that should be responsible for such attacks is actually the victim of uninformed victims. DDoS attacks are usually performed by BOTS (for example, internet relay chat (IRC) eggdrop bots, hackers can use BOTS to control the "victim" computer through the RC channel.
Once these computers are in hackers, they will become a "zombie process" and will affect the target after receiving the attacker's command, and the owner of the computer will not be aware of this. Both DOS and DDoS methods involve many different attack technologies, including: • System shutdown. If the malware can turn off the host system or make it crash, it can interrupt one or more services. The attack host system requires malware to find a vulnerability of the application, or can cause the system to close the operating system. • The bandwidth is full. Most services provided to the Internet are linked by a limited network connection, while the network connects them to the client. If the load of the malware writer is fill the bandwidth using false network communication, only DOS can be generated by preventing the client from being connected to the service. • Network DOS. This type of load is trying to make the resource overload available for local hosts. Resources such as microprocessors and memory have overflow due to SYN flood attacks; Legal network communication and legal network communication to the host. Email Bomb Attack also creates a DOS attack by filling the storage resource; in this attack, excessive email data will be sent to the email address, and try to interrupt the email program or make the recipient unable to receive legal. information. • The service is interrupted. This type of load can also cause DOS. For example, if an attack on the Domain Name System (DNS) server disables DNS service, this DOS attack technology has been implemented. However, all other services on the system may still remain infectious. Back to top The triggering mechanism of malware is a feature of malware, malware uses this mechanism to start replication or load delivery. A typical trigger mechanism includes the following: • Manually execute. This type of trigger mechanism is only the malware executed by the victim. • Social Engineering. Malware usually uses some form of social engineering to deceive victims to manually perform malicious code. This method may be relatively simple, such as those methods used in a large number of mail worms, where social engineering elements are primarily selected in the subject field of email, and the most likely to make the victim to open the message. Malicious software writers may also use email spoof to try to deceive victims and believe that email comes from a trusted source. Deception is an analog website or data transfer behavior to make it trustworthy. For example, the original Dumaru worm that appeared in 2003 modified an email's "Recipient:" field, making it incorrectly claiming to come from Security@microsoft.com. (For more information on this feature, see "Male" in the next section in this chapter). • Semi-automatic execution. This type of trigger mechanism is initially started by the victim, and then automatically execute. • Automated. This type of trigger mechanism is not required to be manually executed. Malware performs attacks without having to run any malicious code on the target computer. • Timed bomb. This type of trigger mechanism is performed after a period of time. This time may be a period of time delay since the first execution infection or a predetermined date or date range. For example, MyDoom.b worm will launch its load routine on the Microsoft.com website on February 3, 2004, and launch its load routine on the SCO Group website only on February 2004. This worm will then stop all replication on March 1, 2004, although the rear door assembly of this timing is still in an active state after this time. • Conditions. This type of trigger mechanism uses a predetermined condition as a trigger to deliver its load. For example, a renamed file, a set of hits, or a start-up application.
