PL  |  NL  |  FR  |  ES  |  PT  |  IT  |  DE  |  DK  |  NO  |  SE  |  FI  |  GR  |  JP  |  CN  |  KR  |  RU  |  AE

  Report this article

More information

STOPPING A TROJAN HORSE

Viruses: Boot Sector Infectors (BSIs)

TYPES OF TROJAN HORSES

HOW HACKERS WRITE A TROJAN HORSE

Software security: The design phase analysis

Features Found in Firewall Products

Software Security Requirements

Software Application Development

What is Denial of Service

Online Monitoring Software

Web 2.0

Real Time Operating System (RTOS)

Strong encryption for Windows Mobile devices. Ensure your data is always safe

The 1988 Morris Worm (the Internet Worm) and its siblings, such as WANK and CHRISTMA EXEC, usually targeted heavy-duty mainframe and minicomputer hardware, mail, and operating systems. More recent threats have been aimed primarily at PCs, and, in one highly publicized incident (the AutoStart worm), Apple Macs. However, they might have the incidental effect of bringing down mail servers through the sheer weight of traffic they generate. Some of these have been variously classified by different researchers and vendors as viruses, as worms, as virus/worm hybrids, and occasionally as Trojan horses.

Today's worms and email viruses tend to be fast burners. They have the potential to spread globally before anti-virus vendors have time to analyze them and to distribute means of detection and disinfection. Some of the malware commonly referred to as worms are actually specialized viruses that infect only one file. This doesn't mean, of course, that a virus like Lehigh, which infects only COMMAND.COM, can sensibly be defined as a worm.

Universally accepted classifications of worms don't exist, but Carey Nachenberg, in a paper for the 1999 Virus Bulletin Conference, proposed a classification scheme along the following lines:

· Email Worms, unsurprisingly, spread via email.

· Arbitrary Protocol Worms spread via protocols not based on email (IRC/DCC, FTP, TCP/IP sockets).

As well as proposing classification by transport mechanism, Nachenberg also proposed classification by launching mechanism:

· Self-launching Worms such as the 1988 Internet Worm require no interaction with the computer user to spread: They exploit some vulnerability of the host environment, rather than in some way tricking the user into executing the infective code. However, KAK and the rather rarer BubbleBoy are examples of self-launching worms. By exploiting a bug in the Windows environment, they can execute without user intervention.

· User-launched Worms interact with the user. They need to use social engineering techniques to persuade the victim to open/execute an attachment before the worm can subvert the environment so as to launch itself onto the next group of hosts. Many of today's VBScript worms fall into this or the Hybrid-launch category.

In fact, some of the worms we've seen to date are probably better classified as Hybrid-launch Worms (by Nachenberg's classification scheme) or multipartite (in terms of conventional virus terminology) because they use both self-launching and user-launched mechanisms.

Virus Characteristics

The following characteristics are not necessarily restricted to particular virus/worm classifications, but are of some importance if only because of the way the terms stealth and polymorphism are so often misused:

· Stealth. Almost all viruses include a degree of stealth, that is, they attempt to conceal their presence in order to maximize their chances of spreading. There have been viruses that asked permission before infecting, but this courtesy has not been rewarded by wide dissemination. Conspicuous payloads tend to be avoided, or are delivered fairly irregularly. Stealth viruses use any of a number of techniques to conceal the fact that an object has been infected. For example, when the operating system calls for certain information, the stealth virus responds with an image of the environment as it was before the virus infected it. In other words, when the infection first takes place, the virus records information necessary to later fool the operating system.

This also has implications for anti-virus tools that work by detecting that something has changed rather than by detecting and identifying known viruses. To be effective, such tools must use generic anti-stealth techniques. Of course, it isn't possible to guarantee that such techniques will work against a virus that has not yet been discovered. However, virus scanners that detect known viruses are at an advantage in this respect, because vendors will normally compensate for a new spoofing technique when they add detection for the virus that employs it. The trick employed by some BSIs of displaying an image of the original boot sector as if it was still where it belonged is a classic stealth technique. File viruses characteristically (but not invariably) increase the length of an infected file, and can spoof the operating system or a anti-virus scanner by subverting system calls so that the file's attributes before infection, are reported, including file length, time and datestamp, and CRC checksum.

· Polymorphism. Polymorphic viruses are adored by virus authors and feared by nearly everyone else. This is partly because of an over-estimation of the impact of the polymorphic threat. Non-polymorphic viruses usually infect by attaching a more-or-less identical copy of themselves to a new host object. Polymorphic viruses attach an evolved copy of themselves, so that the shape of the virus changes from one infection to another. Early polymorphic viruses used techniques such as changing the order of instructions, introducing noise bytes and dummy instructions, and varying the instructions used to perform a specific function. A more sophisticated approach is to use variable encryption, drastically reducing the amount of static (unchanging) code available to the anti-virus programmer to use to extract a pattern by which the virus can be identified. You might imagine (as many people do) that this makes polymorphism a formidable technology to counter. Indeed, the emergence of polymorphic viruses and plug-in mutation engines (enabling almost any virus author to include variable encryption in his own work without reinventing the wheel) contributed to the disappearance of some of earlier anti-virus packages. However, although polymorphic viruses are popular with virus authors demonstrating their skills, they have been less well represented in the field than in the collections of anti-virus researchers, certification laboratories, comparative testers, and others who need as complete a collection as possible. Anti-virus scanning technology has also moved on, and simple signature scanning for a fixed character string doesn't play a large part in the operation of a modern scanner.

The classifications of viral malware described earlier do not cover the entire range of objects detected by anti-virus software. Some vendors are quick to point out that what they sell is anti-virus software, not anti-malware software. Nonetheless, nowadays most commercial products detect some Trojan horses and other objects that barely qualify as malware, let alone viruses. Such objects include intended (non-functioning) viruses, joke programs, DDoS programs (Distributed Denial of Service), even garbage files that are known to be present in poorly maintained virus collections likely to be used by product reviewers.

Certainly, there are more viruses that infect PC platforms (DOS and all flavors of Windows) than any other operating system. Native Macintosh viruses are far fewer. In fact, there are probably more native viruses on systems such as Atari and Amiga that have never had the same popularity (in corporate environments, at least). However, the fact that Apple Macintoshes share with Windows a degree of vulnerability to Microsoft Office macro viruses makes them the other main virus-friendly environment today.

It should not be assumed, however, that other platforms don't have virus problems. Access controls can be imposed on unprivileged accounts in UNIX (including Linux), NT, NetWare, and other platforms to restrict infection flow. However, they can't prevent unprivileged users from sharing files, if only by email. Nor can they prevent a privileged user inadvertently spreading infection. Even systems that don't support any known native viruses (servers or workstations) can carry infected objects between infectable hosts, a process sometimes known as heterogeneous virus transmission. It's as important to scan network file servers, Intranet, and other Web servers, regardless of their native operating system. In fact, an increasing number of products detect viruses associated with other operating environments. Thus some Mac products detect PC viruses, and vice versa.

Clearly, viruses do represent a risk on the Internet. That risk is higher for those running DOS, any variant of Windows, or certain macro-capable applications, especially the Microsoft Office applications suite. Mostly this is a matter of market share. Most virus writers target PCs and Windows because that's what they have access to. However, there are other factors that increase the risk: for example, PC hardware architecture, Microsoft's rosy view of the lack of need for security on single-user systems, and the dangers of having macro code and data in the same file. There are some tools to help keep systems safe from virus attacks. Anti-virus software is mostly reactive: It responds to a perceived threat, and works most effectively against threats it can identify with precision (that is, known viruses). The best defense against unknown viruses is often to work in an environment that doesn't provide a host to particular classes of threat. Sadly, however, this is often not an option, particularly in some corporate environments where Microsoft products are considered obligatory.