Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Similar a Virus part1
Similar a Virus part1 (20)
Último
Último (20)
Virus part1
- 2. DDoS ProgramsDDoS Programs DDoS programs are made by attackers to disable web servers, thereby preventing legitimate users from using their services. DDos stands for Distributed Denial of Service
- 3. Different Types of Viruses
- 4. Classification of Viruses • DOS Viruses • Windows Viruses • Script Viruses • Macro Viruses• • Boot Viruses
- 5. Boot Viruses
- 6. Infected diskette used during bootup Boot virus infects the hard disk Every disk used afterwards is also infected Boot Viruses
- 7. DOS Viruses
- 8. HOST orig. header DOS VirusesDOS Viruses VIRUS orig. header VIRUS CODE INFECTED PROGRAM A virus usually infects by attaching a copy of itself at the tail of the host program. Then, it saves a copy of the original header somewhere in the virus body It modifies the header to gain control when the program executes. Jump to virus Append Prepend Insert Although most viruses append their codes, some also prepend, insert, or overwrite their virus codes.
- 9. DOS Viruses increase in the file size of infected programs decrease in the size of available memory unusual slowdown of computer system Some symptomsSome symptoms
- 10. Windows Viruses
- 11. Windows VirusesWindows Viruses Applications/executable files (*.EXE) Other file types with executable codes (*.SCR, *.HLP, *.OCX) Device drivers (*.DLL, *.DRV, *.VXD) Commonly infected file types:Commonly infected file types:
- 12. Windows VirusesWindows Viruses Unnecessary changes in executable files (i.e.: file size, timestamp, behavior, etc.) Any unusual tasks/processes The Registry and other configuration files for any unusual or suspicious modifications Things to check:Things to check:
- 13. Macro Viruses
- 14. Collection of instructions Handles boring, awkward, and tedious tasks Saves a user keystrokes. Visual Basic® for Applications (VBA) Environment What is a Macro?
- 15. When an infected document is opened with Word, it will usually copy its macro codes in the Global Template With the macro virus already resident in the Global Template, it can already produce additional copies of itself to other documents accessed by Word. The Global Template is used as the basis for the document settings and macros Macro Viruses in WordMacro Viruses in Word DocumentsDocuments
- 16. With the macro virus already in the startup folder, it can already produce additional copies of itself to other spreadsheets accessed by Excel. When Excel is loaded, every file in the Excel startup folder will be opened and their macros will be executed. Macro Viruses in ExcelMacro Viruses in Excel DocumentsDocuments When an infected spreadsheet is opened with Excel, it will usually drop a copy of itself unto the startup folder.
- 17. Macro Viruses in other file typesMacro Viruses in other file types LotusScript LotusScript CorelScript CorelScript VBA VBA
- 18. Script VirusesScript Viruses If a mail message or a Web page has some malicious scripts the malicious scripts may utilize the scripting host execution capabilities of some Web and mail browsers thus enabling them to spread and replicate to other mail recipients or Web page users
- 19. Safety Computing Tips and Techniques
- 20. Safe Computing Tips & Techniques 1. Disable the Windows Scripting Host functionality 2. Do not hide the file extensions of known file types 3. Set up the Internet Explorer security setting 4. Apply the latest Microsoft security updates 5. Enabling Macro Virus Protection 6. Scan floppy diskettes before use 7. Enable Virus Warning in CMOS setup
- 21. Disable the Windows Scripting Host functionality This prevents Visual Basic script viruses and malware from running, so that they cannot activate, spread or cause damage to files. A typical PC does not need Windows Scripting Host (WSH) to function normally. Therefore, it is usually ok to disable it. You can always reinstall WSH if you change your mind later. Safe Computing Tips & Techniques
- 22. Do not hide the file extensions of known file types Safe Computing Tips & Techniques All Windows operating systems, by default, hide the known file extensions in Windows Explorer. This feature can be used by virus writers and hackers to disguise malicious programs as some other file formats, such as text, video or audio files.
- 23. Set up the Internet Explorer security setting to Medium or High Safe Computing Tips & Techniques By default, the Internet Explorer security setting is set to "Medium." However, some viruses and malware have been found to have the ability to change the settings to "Low" and therefore allowing the system to be vulnerable. It is encouraged that the security setting is set to at least "Medium" to reduce the risk of accidentally running a malicious file. At the "Medium" security level, Internet Explorer will prompt the user before running a potentially unsafe content.
- 24. Apply the latest Microsoft security updates Safe Computing Tips & Techniques Security updates will help prevent hackers from accessing your system and prevent viruses and other malware from running in your system. In order to close off security holes that have been discovered since Windows was shipped and installed, it is advisable that users visit the Microsoft Update Web site at http://windowsupdate.microsoft.com. The Web site has instructions provided that are easy enough to follow in updating your system.
- 25. Safe Computing Tips & Techniques Enabling Macro Virus Protection For MS Office 95 and MS Office 97
- 26. Safe Computing Tips & Techniques Enabling Macro Virus Protection For MS Office 2000
- 27. Disabling Macros when prompted For MS Office 95 and 97 For MS Office 2000 Safe Computing Tips & Techniques
- 28. Safe Computing Tips & Techniques Select BIOS Features Setup Then enable boot virus warning • Scan floppy diskettes before use • Enable Virus Warning in CMOS setup
- 29. Safe Computing Tips & Techniques Safe computing practices make it more difficult for malicious codes to enter or execute on client systems. add a protective layer of defense to prevent viruses and other malware from running. should always be followed in conjunction with updating antivirus software.
Notas del editor
- DDoS programs DDoS programs are special type of Trojans or backdoors. They are made to disable certain Web servers, IRC servers or ICQ servers by launching a DDoS attack. DDoS stands for Distributed Denial of Service. A DDoS attack is usually launched simultaneously from different infected computers known as the “attack servers” with the initiation from the attacker. When a DDoS program is already installed in a computer, it opens a port or connect to a certain server and waits for a command or information coming from the attacker. The following are some of the information provided by an attacker to the DDoS program: 1. IP address of the victim server 2. Port number of the victim server 3. The number and size of packets to send 4. The duration of the attack The attack is usually made by sending a large amount of packets such as ICMP(ping), UDP, and IGMP packets and is performed simultaneously by several infected computers with the DDoS program installed. In this way, the victim server’s network bandwidth gets consumed thereby disabling itself from the network and eventually preventing its legitimate users from accessing the services it offers.
- Classification of Viruses Viruses may come in different types -- there are boot viruses, DOS viruses, Windows viruses, macro viruses, script viruses, and Java viruses. All of these share the same characteristics of viruses except that they infect different types of host files or programs. Let’s go over the formal definition of what a virus is and what it can infect. Basically, a virus needs a host to attach itself unto – which could either be an application or an applet, a boot code, a macro code inside a document or file, or some script code embedded into email messages and web pages. The host should contain a program – executable code – and image files are not programs, nor are sound files, text files, or cmos data. These objects are supposed to contain pure data and they do not contain computer instructions of any kind. Even if instructions can be inserted into these files, image viewers, sound players and the like are designed to view images and play sound and not search through these files for instructions to execute. None of the data in these objects are executed and they therefore cannot be infected, they can only be corrupted. A virus contains code that explicitly copy itself and that can infect other programs by modifying them or their environment. This would usually entail making modifications to gain control when the infected program is executed. After the virus code has finished execution, in most cases, control is passed back to the original host program to give the impression to the user that nothing is wrong with the infected file. Now, let’s go over the different classification of viruses in detail.
- Boot Viruses Boot viruses target a specific location of the hard disk and/or floppy diskette. They generally infect the partition sector (also known as the master boot record, MBR) of hard disks and/or the boot sector of floppy diskettes. Floppy disks do not have a partition sector. The MBR is the first sector of the hard disk and it contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The boot sector, on the other hand, is the first sector on a floppy disk. On a hard disk, it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program. When a PC starts up, it typically reads the partition sector and executes the small program there when a hard disk is present. In the absence of a hard disk or depending on the CMOS settings, the PC may instead read the boot sector of a disk in drive A: and execute the small program there. Boot viruses modify the small program from either the partition sector and/or from the boot sector. They also commonly move the original contents of the sector elsewhere on the disk which they pass control back after they have finished executing the virus code.
- DOS viruses When a DOS virus infects a program, it usually attaches a copy of itself at the tail of the host program. Further, it copies the original header of the host program and saves it somewhere in the virus body. It does this to be able to revert control to the original host program after it has executed its virus code. It then replaces the header of the program with a jump that will lead to the virus code so that the virus will gain control when the program is executed. The infection is now complete. When an infected program is executed, it automatically jumps to the virus body and performs whatever the virus is supposed to do. Afterwards, it reverts control to the original host program by making use of the original header information it has saved during the infection process. After the infected program has completed execution, if the virus is well-made, the user will get the impression that nothing is wrong with the computer system. Although most DOS viruses append their codes at the tail of host programs, some prepend, insert, or overwrite their virus codes instead.
- DOS viruses If a computer system is already infected with a DOS virus, there are usually some noticeable changes in the system. First and foremost, infected files oftentimes increase in size, since the virus needs to attach a copy of itself unto host programs. Moreover, if the virus is memory resident, it could also take up some memory space and, possibly, slow down the computer system. If there is an unexplained decrease in the available memory or an unusual slowdown of the computer system, there is a possibility that the computer is harboring a virus and it would be wise to check it with an antivirus scanner.
- Windows viruses and Windows executable file formats With the introduction of the Windows™ operating system comes the the New Executable (NE), Linear Executable (LE), and Portable Executable (PE) file formats. These new file formats are extensions of the old familiar MZ MS-DOS executable file format and are used by Win16 and Win32-based applications. The NE file format came out during the time of Windows 3.xx and is used by Win16-based applications. The file format is not widely used as a newer file format was introduced immediately afterwards (PE came out at the time of Windows 95). The PE file format is commonly used by Win32-based applications while the LE file format is used by virtual device drivers. Windows viruses normally infect executables in the PE file format although some of them may also infect other executable file formats in the Windows environment. Windows viruses are similar to DOS viruses as they also infect executable files. However, Windows viruses work in the Windows operating system instead of the DOS environment. As such, Windows viruses have to contend with the file format of Windows executables and the operating system design of Windows.
- Windows viruses and the file types they infect Most Windows viruses infect Windows applications, predominantly PE files. These Windows executables include commonly used applications such: Calculator, Explorer, Games, Paint and similar graphics applications, Notepad, MS Word, Outlook, and many others. Additionally, some Windows viruses may infect executable code on device drivers. Others target screen savers, help files, and other file formats with executable codes.
- Checking for possible Windows viruses If you suspect that your system is infected with a Windows virus, you may check the following to determine if it is indeed harboring a virus or not: Any unexpected changes on executable files Viruses will usually attach themselves at the tail of executable programs and modify some entries in the header to gain control of the program when they are executed. When viruses attach copies of themselves to host programs, they normally increase the file size and the timestamp of the change will be reflected as well. Some viruses are smart enough to save the original timestamp of the host program and restore it after infection to give the impression to ordinary users that the file has not been changed since the last known update. Although most Windows viruses create a new section where they place their virus code (which will unavoidably increase the file size), some will not create any new sections and will go as far as finding ways to insert copies of themselves without increasing the size of the infected file. They do this by scanning for free spaces in between sections which are oftentimes found with Windows executables. Any unusual tasks or processes When a Windows virus stays resident, it will usually be evident in the Task Manager. Look for any tasks and processes that are out of the ordinary and determine which applications they are associated with. Check the Registry and other configuration files for any unusual or suspicious modifications Many Windows viruses modify the Registry and some other configuration files to enable automatic execution when Windows is started. This guarantees that they are given control on successive sessions of Windows.
- Macro Viruses Macro viruses use an application's macro programming language to distribute themselves. Some applications (i.e. MS Word and MS Excel) provide a macro programming language (i.e: Visual Basic for Application (VBA) and WordBasic) which is powerful enough to allow malicious macro instructions to be placed inside documents. These macros are specific to an application’s macro language and they require the application to interpret their instructions. As such, they cannot execute outside of the application because the interpreter would not be present and they also cannot stay active once the application has closed for the same reason. Macro viruses often exploit the auto-execute (i.e. AutoNew, AutoOpen, and AutoClose) capabilities of applications which support macros. These auto-execute macros are executed in response to their corresponding event (i.e AutoClose is performed when a document is closed) and it provides an easy avenue for macro virus writers to place their malicious codes.
- Macro viruses in Word documents Every Microsoft Word document is based on a template. A template determines the basic structure for the document and contains document settings, including macros. The two basic types of templates are global templates and document templates. Global templates, including the Normal template, contain settings that are available to all documents. Word macro viruses oftentimes target the Normal template (NORMAL.DOT) when they initially infect a computer system as it makes the macro codes available also in the succeeding Word sessions.
- Macro viruses in Excel documents / spreadsheets When Microsoft Excel is loaded, it opens all the files in the startup folder. Upon opening the files, it also executes the macros in them. An Excel macro virus customarily drops a copy of the infected spreadsheet / document in the startup (XLSTART) folder to allow itself to propagate and infect in the succeeding sessions of Excel.
- Macro viruses in other file types Macro viruses are also found in other file types aside from MS Word and MS Excel. They have been found in MS Powerpoint files, MS Access files, CorelDraw files and Visio files, among others. If the macro language used in an application is powerful enough to manipulate files and if the file format supports the inclusion of both data and macro codes in the same file, then macro viruses are possible for the particular file type. Currently, documents that support the Visual Basic for Applications (VBA) macro language are susceptible to viruses. Since VBA is a subset of the Visual Basic language, which is widely used by programmers, it is relatively easy to write malicious code in them, as compared to the other types of malware. Other popular script languages available are LotusScript, used in AmiPro and WordPro files, and CorelScript, used in CorelDraw files.
- Script viruses Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser. Some e-mail messages or Web pages could contain malicious scripts (e.g., "ILOVEYOU" virus and Bubbleboy). Their malicious scripts may utilize the automatic scripting capabilities of some Web and mail browsers (e.g., Internet Explorer and MS Outlook) which enables them to replicate to other mail recipients or Web page users.
- Safe computing tips and techniques The following are some practical tips and techniques which can easily be done to reduce the risk of virus or malware infections and of inadvertently triggering or spreading them to other people. These will help prevent a user from falling prey to viruses and other malicious codes while using today’s advanced computer information access technology. These will make your system more robust and, in general, make it difficult or impossible for viruses and other malware to run.
- Disable the Windows Scripting Host functionality This is to prevent Visual Basic script viruses and malware (like VBS_LoveLetter) from running, so that they cannot activate, spread or cause damage to files. A typical PC does not need Windows Scripting Host (WSH) to function normally. Therefore, it is usually ok to disable it. You can always reinstall WSH if you change your mind later.
- Do not hide the file extensions of known file types By default, all Windows operating systems hide known file extensions in Windows Explorer. This feature can be used by virus writers and hackers to disguise malicious programs as some of the other file formats, such as text, video or audio files. For example, if the file extensions of known file types are hidden, a malicious program file named "readme.txt.exe" is displayed as "readme.txt" in Windows Explorer. Therefore users are often tricked into clicking the supposed "text" file and then into inadvertently running the malicious program. To avoid this confusion, users are recommended to change the Windows Explorer setting to "Not hide the File Extension of known File Types."
- Set up the Internet Explorer security setting to Medium or High By default, the Internet Explorer security setting is set to "Medium." However, some viruses and malware have been found to have the ability to change the settings to "Low" and therefore allowing the system to be vulnerable. It is encouraged that the security setting is set to at least "Medium" to reduce the risk of accidentally running a malicious file. At the "Medium" security level, Internet Explorer will prompt the user before running a potentially unsafe content.
- Apply the latest Microsoft security updates Security updates will help prevent hackers from accessing your system and prevent viruses and other malware from running in your system. In order to close off security holes that have been discovered since Windows was shipped and installed, it is advisable that users visit the Microsoft Update Web site at http://windowsupdate.microsoft.com. The Web site has instructions provided that are easy enough to follow in updating your system. Windows 98 or Windows 2000 users can also use the Windows Update feature to get all the latest security updates by simply clicking "Start" and then selecting "Windows Update".
- Preventing Macro Virus Infections To control the possible spread of macro viruses in your system, the macro virus protection should be enabled. This is available through the Tools | Options menu under the General settings for MS Office 95 and MS Office 97. While in the General settings, simply place a check mark for Macro Virus Protection to enable it.
- Preventing Macro Virus Infections For MS Office 2000, macro virus protection is enabled through the Tools | Options | Security menu. This is done by selecting either the Medium or High Security Level. If High security level is selected, only signed macros from trusted sources will be allowed to run. Any unsigned macro are automatically disabled. If Medium security level is selected, a warning message is displayed and the user is given the option to either enable or disable the macros when a document is opened.
- Preventing Macro Virus Infections While macro virus protection is enabled (for MS Office 95 and 97) or set to Medium security level (for MS Office 2000), MS Office will prompt the user when macro codes are existing in a document. Choose Disable Macros if you are not sure or if you are not aware of any macro codes in your documents. To know more about macros, click on Tell Me More (for MS Office 95 and 97) or More Info (for MS Office 2000).
- Boot Viruses To prevent from boot virus infections, floppy diskettes should be scanned for viruses before being used. Additionally, boot virus protection on the CMOS should be enabled. In the CMOS setup utility, select BIOS FEATURES SETUP then enable Virus Warning. This will give out a warning when the boot or partition sector of the hard disk is being modified and the user can prevent any unexpected modifications.
- Safe computing tips & techniques Safe computing practices mainly make it more difficult for malicious codes to enter or execute on client systems. These should always be done in conjunction with an updated antivirus software. In general, most viruses are mere nuisances. However, every once in a while, a new virus comes along that uses a new technique and causes major computer problems or threatens data or data security. These safe computing practices will add a protective layer of defense to prevent viruses and other malware from running in your system.