1 / 48

Viruses

Viruses. Malware versus Virus. Viruses belong to a larger category of software known as Malware, which is short for “malicious software” Computer viruses are named after their biological counterparts because of the two features they have in common

metcalfm
Télécharger la présentation

Viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses

  2. Malware versus Virus • Viruses belong to a larger category of software known as Malware, which is short for “malicious software” • Computer viruses are named after their biological counterparts because of the two features they have in common • they require a host; they are not complete programs but pieces of code that become attached to (infect) another program • They are self-replicating, i.e. they make copies of themselves

  3. Programs writing programs • A program is stored as a file (it may also be loaded into memory) • A program can write to a file (or to memory) • It can insert text into a file, append to a file, overwrite a file, or start a new file • The file being written may contain a program, the code in the program can be a copy of the program that wrote the file • When that new program is executed, …

  4. Worm • Some distinguish between a worm and a virus, in that a worm does not attach itself to another program but fills one’s disk space and/or memory with copies of itself • Malware need not copy itself but that is the usual mechanism for spreading from system to system

  5. Phases • Infection phase: the time when a virus spreads (replicates itself) • Attack phase: the time when a virus causes its damage • The non-replication action of the virus is known as the “payload” • The payload may be to print a silly message or to erase everything on the hard drive • Even the infection phase uses up system resources

  6. Bombs • A logic bomb is designed to cause its damage only when a particular condition is met, • a special case is a time bomb which goes off at a particular time • e.g. the Michelangelo and Melissa viruses • If the payload is immediate, then the virus may be detected earlier and not have a chance to spread as far

  7. Types of computer viruses • Viruses are typically categorized by the level of software they “infect” • Boot sector infector • Master boot sector • File or program infector • Macro • Multipartite: Having features of more one of the above • hoax

  8. "Boot Sector" • Booting is when one loads the operating system after turning on the power • Viruses that attach to code at this lowest level are known as “boot sector” viruses or “boot sector infectors” • These viruses are spread by sharing disks • A disk does not have to be “bootable” to spread a boot sector virus

  9. Boot sector (Cont.) • Your computer is particularly vulnerable at the booting stage because the Anti-viral utility has not yet been loaded • You should not have a floppy in the A drive when you boot up, unless you specifically mean to boot off of the floppy. • Some anti-virus packages warn the user if a floppy is left in the A drive when shutting down

  10. Master Boot Sector • Sometimes a distinction is made between a boot sector virus and a master boot sector virus • The computer looks first to the master boot sector to see for instance which partition one boots from, it then proceeds to the boot program • A virus affecting the master boot sector is a master boot sector virus

  11. Program or file infector • A virus that attaches itself to an executable file (a program) • Program file typically have one of the following extensions • .exe (executable file) • .com (companion file) • .bat (batch file)

  12. Renaming • One can rename a file and change its extension, so files with other extensions might have viruses • However, the operating system treats files with these extensions differently in that it executes them when they are clicked

  13. Program/file infector (Cont.) • In DOS the rule is that if there are two files: filename.com and filename.exe, then filename.com is executed first • Viruses that attach to the .com files are sometimes called “companion viruses” • Program infectors are spread by sharing and executing infected programs • A program virus can infect other programs • Don’t share programs of unknown origin

  14. Macro virus • a macro is a small program that automates repeated tasks in an application (like Word or Excel) • Macro  virus • a macro virus is a macro code used to spread itself and cause damage • Have Word or Excel warn you if a file contains macros, disable them if you don’t need them

  15. Macro virus (Cont.) • Since a macro is code embedded in a file typically thought of as a data file (such as a Word document or Excel spreadsheet), they spread more quickly because • people are more likely to share data files • They are also less wary when they do • Macros are not operating system dependent, so a macro virus can spread from a Mac to a PC and vice versa

  16. Visual Basic Script • Macros for Word and Excel are written in Visual Basic Script • If you record a macro in Word or Excel and edit it, it looks very much like Visual Basic • Visual Basic Script have the extension .vbs though often the macro is included right in the Word (.doc) or Excel (.xls) file

  17. "Email" or "Hoax" • Not really virus at all, just email messages repeatedly sent to warn others about a new virus • Infects the user not the computer • However, like their genuine counterpart, hoaxes tie up system resources causing undo Internet traffic • Try to verify a virus warning by checking with a IT professional or reputable web site with specific information on the virus

  18. Most Common • Early on, the program and boot-sector viruses were the only kind and were about equal in occurrence • Then boot-sector viruses became the more common (even though there was a much larger variety of program infectors) because they were more easily obtained (by an infected floppy)

  19. Most common (Cont.) • With the increasing use of the Internet, especially email, macro viruses have become the most common because they spread the most easily • Hoax viruses have also become quite common, and there is no anti-viral utility to help prevent them

  20. “In the wild” • Viruses are created at a rate of several per day • Most viruses exist only in special collections • The viruses that are being passed around by unsuspecting users are said to be “in the wild” • A virus in your computer is said to be “resident”

  21. Second categorization • Another categorization of viruses is based on how they try to gain entrance to the system or hide from anti-viral software • Trojan horse • Polymorphic • Stealth • Anti anti-virus virus

  22. Trojan Horse • Not necessarily a virus • Refers to malware that is disguised as software which is useful or fun to trick the user into copying and executing the program

  23. Polymorphic • A polymorphic virus changes its code • One way anti-viral software works is to identify a virus’ “signature” — a string of characters unique to it or a string of characters that occur much more often in it than the would in “normal” code • A polymorphic virus tries to beat this means of detection

  24. Stealth virus • In order to replicate a virus must write to, i.e. change files • Another behavior anti-viral software looks for is files changing • A stealth virus takes over the part of the operating system that reads files and lies about their having been changed

  25. Anti anti-virus virus • A.k.a. “retro” viruses • These viruses try to delete or disable the anti-viral utility software

  26. Damage • What kind of damage can a virus do?  • Many viruses have no payload at all.  But some viruses can: • Clog email servers • Delete or modify files • Release confidential information • Lowers computer performance • Loss of productivity

  27. Damage (Cont.) • Display serious or silly message on screen • Erase files • Scramble data • Erratic screen behavior halt pc • Beeping the keyboard • Damage software • Destroy your trust in your computer • Play music • Display animation screen • Slow down computer

  28. Useful Information • You cannot get a virus from simply "being on" the Internet.  No one can "give" you a virus over the Internet without some user assistance at some level. • Cannot be infected from CMOS memory. • Be aware that viruses are found in pirated software regularly. • Viruses do not infect compressed files although compressed files can carry a virus that it was infected with before it was compressed.

  29. Useful Information (Cont.) • You can’t get a virus by downloading, you need to execute the download to get the virus. • Be careful with some software, downloading and installing occur simultaneously • Files sent such as pictures and MP3 music CANNOT contain viruses. (see renaming) • Viruses do not infect computer hardware (though they can render it useless)

  30. Useful Information (Cont.) • Can get viruses from certain data files in Microsoft Office because they contain macros, which are programs that are executable. • Cookies (data files some web sites store on your disk) cannot have viruses. • Can get viruses from EXE and COM files. • Viruses cannot infect files on write protected disks, but infected disks that are then write protected can infect other files. • Viruses do not identify themselves.

  31. Quarantine area • When an anti-viral utility cannot repair (“clean”) a virus-infected file, it might place it in “quarantine” — a holding area for suspicious or infected file • they are unavailable to the user, but not lost for ever (in case they contain important data that needs recovering)

  32. Quarantine area (Cont.) • One benefit of allowing the administrator to decide whether files should be returned is that many macro viruses make deliberate and malicious changes to documents or spreadsheets they infect. This means that even after cleaning, files may contain damage, possibly subtle, which affects their validity or usefulness.

  33. Prevention Measures • Backup all files regularly • Doesn’t prevent viruses but prevents losses they might cause • Use a reputable anti-virus program • Update your anti-virus program regularly • Sometimes this process can be automated • Be aware of what your anti-virus software does with a virus but cannot disinfect

  34. Prevention Measures (Cont.) • Always remove floppy disks from the A drive when you are not using them • Don't use floppy disks that have been used many times, and passed from computer to computer. • If you are through editing the files on a floppy, write protect it • Don't lend your floppy disks to others • Scan for viruses before using floppy disks from others

  35. Prevention Measures (Cont.) • Don't download files from unknown sources • NEVER open an email attachment unless you are SURE it doesn't contain a virus. • Save or detach an attachment instead of launching it from the mail package • Check all new software for viruses, even ones that were wrapped by the publisher • Pirated software is especially notorious for containing viruses

  36. Prevention Measures (Cont.) • Open Microsoft Office documents with a viewer program rather then directly into the Microsoft application or have the application prompt you if a macro is used • NEVER accept "games" or "updates" from strangers over email, ICQ, BBS, or any other transfer medium. • Check everything for a virus before using it • Send an email to anyone who send you an infected file

  37. Prevention Measures (Cont.) • Don't pass on virus warnings without some verification • At work, this is the job of the computer support personnel • Note strange occurrences in your PC's behavior ( odd messages, mouse directions switching, etc.) • Never use undocumented commands such as fdisk \mbr to fix virus contamination

  38. The EICAR Standard Anti-Virus Test File • Testing your anti-viral software • This is a simple ASCII (text) file that can also serve as a program. • It contains one line of printable characters; • If saved as EICAR.COM, it can actually be executed. It prints the message: • EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

  39. The EICAR Standard Anti-Virus Test File • Most anti-virus products detect this file as if it were a virus. • This provides a safe and simple way of testing the installation and behavior of your anti-virus software without needing to use a real virus.

  40. The EICAR Standard Anti-Virus Test File • To make your own EICAR test file, create a text file called EICAR.COM containing a single line that looks like this: • X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* • Note that the "O" in the third character position is the letter "oh", not the digit "zero". If you have typed (or pasted) the text correctly, Sophos Anti-Virus will tell you the file contains "EICAR-AV-Test".

  41. Word Macro Security • Make Word prompt you whenever you try to open a document containing a macro • Some viruses were able to turn this setting off, so it doesn’t hurt to check it

  42. Word Macro Security

  43. Browser security • Many web pages have programs embedded in them • Make sure your browser prompts you before any program is downloaded into your system

  44. I.E. Security

  45. I.E. Security

  46. References • http://www.us.sophos.com/virusinfo/whitepapers/vfiles.html • http://www.vmyths.com/ • http://www.geocities.com/siliconvalley/1710/ • http://library.thinkquest.org/C005965F/main.htm • http://www.cai.com/viurusinfo/virus_intro.htm

More Related