|
Viruses and their kin (and associated terminology)
Virus: basically defined in computer science as: a self-replicating piece of executable code. Any program that can copy itself from one location to another without user intervention, and set itself up so that it will execute automatically, also without user intervention, is by definition a virus. It should be noted that nowhere in the definition of the virus does it discuss doing damage. Most do damage the system but such viruses are technically called malicious viruses. Viruses generally come in two classes: fast or prolific replicators and slow or non-prolific replicators. There are advantages and disadvantages to each replication technique.
Warhead: any piece of code designed specifically to cause damage. Almost all warheads do damage to data either directly or by damaging the file system low level data structures which in turn usually causes massive and catastrophic data loss. Warheads are either immediate or event triggered. Immediate warheads cause data destruction the moment they arrive in the system and are rarely used in malicious viruses. Event triggered warheads lie dormant waiting for the trigger event, when this occurs, they proceed to damage the data.
Vector: Just like viruses in the living world, viruses in the digital world must infect hosts and have a method of delivery between hosts. Infected hosts and delivery methods are referred to in the living world as vectors. For example, the black plague infected Europeans in the dark ages through flea bites. However, the only fleas that could deliver the pathogen in a state in its complicated life cycle that was an actual threat, was if they bit an infected rat first. So the rat was the infected host which the flea bit picking up the deadly from of the pathogen which it then carried to a human which it bit, infecting the human. Both the rat and the flea are called in this case vectors, carriers and delivery methods of this human affliction. In computer viruses, there exist clean host computers, infected host computers, and vectors which are the means of infection and delivery of the virus which is nothing more than data, to another clean host. Common physical delivery vectors include:
removable media: floppy disks, flash drives, CD-R/RW and DVD±R/±RW)
remote/network connectivity devices: modems, network interface cards
Common binary vectors (structures likely to actually be infected by the virus on any given host computer) include:
binary executable files: In DOS/Windows this means *.COM and *.EXE files, as well as to a lesser extent, overlays - *.OVL, and dynamic Linked libraries - *.DLL's)
Volume Boot Record of removable and non-removable drives
Master Boot Record of local drives
Interpreted executable OS "scripts" including: DOS/Windows Batch files - *.BAT, Windows Scripting Host script files - *.VBS, *.WSH, etc., shell scripts - *.SCR and *.CMD
Interpreted executable software "scripts" including: AutoCAD LISP includes, BASIC programming language source files, embedded javascript source (a.k.a XSS - Cross Site Scripting viruses), embedded Visual BASIC for Applications (a.k.a. MS Office macro viruses).
Software Data files with object support including: images like *.GIF and *.JPG, web pages capable of being infected by javascript source injection (a.k.a XSS - Cross Site Scripting viruses), MS Office documents capable of carrying embedded Visual BASIC for Applications (a.k.a. MS Office macro viruses), MS Outlook data files which can easily be exploited using VBA as well.
Malicious Virus - Virus + Warhead: This is what most people think of when they hear the term "virus." By definition this structure can copy itself to new locations without the intervention (or knowledge) of the user, set itself up in the new location (including a new computer system in which it has arrived over the network) so that it will automatically get a chance to execute (also without user intervention or knowledge) and it has carried embedded within it a warhead, usually event triggered, that will do damage to the target system's data. A good example of this is the Jerusalem B virus which was designed to infect diskette and hard disk boot sectors: the virus engine component. And to continue this behavior until Friday March 13, 1992. On that date it would corrupt the partition tables of the PC on which it resided effectively destroying the entire C: drive (and all logical drives) and all data in them; the event triggered warhead component.
Trojan Horse - Warhead disguised as friendly code: one of the lesser understood forms of malicious code, the trojan horse is NOT a virus, in that it does not have the ability to copy itself from one location to another and consequently does not have the ability to set itself up to execute automatically either. Instead it relies on deception masquerading as a friendly program so that the user will intervene and manually execute it. Once executed by the user, it has all of the power and the authority (rights) of the user and can set itself up to run automatically from then on. Trojan horses can even carry locally infectious viruses and release them into the computer upon user execution. Modern Windows era trojan horses can even release old tried and truly devastating DOS era viruses (even Jerusalem B mentioned earlier) thus causing a resurgence of these viruses as the main warheads being delivered in Windows trojan horse "wrappers."
Worm: The original and deprecated definition of a worm was a virus capable of self-replication over the network. However, the virus vector does not significantly change the nature of the virus, so viruses that can self-replicate over the network are now properly referred to as viruses, and the new definition of a worm is: any virus whose self-replication activity is allowed to run unrestricted such that this behavior in and of itself consumes so much computer resources that it becomes the warhead. Since a virus is by definition any auto-self-replicating program, any such program that does so profusely to the point that this behavior bogs down the system and even crashes it, is a worm. It should be noted that the old meaning of the term still persists and many modern viruses that can replicate across-the-wire are called worms; by the old definition of the term. A modern worm using the modern definition was the Blaster Worm whose prolific self-replication across-the-wire was so wildly out of control and caused such a network traffic bottleneck that this was how it was noticed and this was the extent of the trouble it caused.
Resident vs. Non-resident viruses: Non-resident viruses consist of a replication module which when activated becomes memory resident performs whatever self-replication activities it desires and then removes itself from RAM until its next opportunity to be activated. Infected executables often embed the virus at the beginning of the executable so that when the program is run, the replication module gets to execute first, performing an injection into another executable, it then erases itself from RAM and passes control to the original executable that it infected. Resident viruses enter RAM in their execution opportunity and then remain resident in RAM for the duration of the computing session, periodically gaining usage of the CPU and performing their status checks and replication activities as they desire. Old DOS boot sector viruses were often resident viruses that remained active until the PC was turned off.
Morphic virus: There are three basic types of morphic viruses:
Encrypted virus: These viruses encrypt themselves using a different key each time thereby disguising their existence and making it difficult to put their signature into an anti-virus list for anti-virus software to attempt to match. The virus then consists of a small decryption module and the rest consists of the encrypted body. Anti-viruses attempt to locate the decryption module which cannot be encrypted or it would not be able to execute.
Polymorphic virus: These viruses also encrypt themselves with variable encryption keys, but they also modify the decryption module making them much harder to detect, because even the decryption module gets modified each time they create a new copy of themselves. Polymorphic viruses posed the first truly dangerous threat to the computing world since no anti-virus could possess a concise accurate description of one to latch onto in performing their pattern matching searches. The solution was to have the anti-virus create a virtual PC emulator, it would then release files into the emulator and if it was a polymorphic virus it would decrypt itself, this decrypted variation could then be checked against the pattern in the anti-virus list.
Metamorphic virus: Another variation of the polymorphic virus in which the virus does not just change by using randomly chosen encryption keys, but it also changes its own actual executable code algorithms as well. Basic metamorphs generally use the polymorphic overall design, but once decrypted in RAM, they change their own actual working code encrypt themselves using another key, then insert this new variant into the target vector. Another term for metamorphic viruses is then mutating viruses since the actual working code mutates with each new iteration or copy. Metamorphic viruses are extremely resistant to detection within virtual PC emulation RAM created by the anti-virus software because each individual is unique making it impossible for flat pattern matching against the master signature held in the anti-virus signature file. The only method of detecting a metamorphic virus is to release it in the emulator region, detect the polymorphic behavior (automatic decryption of the body), detect the metamorphic behavior (automatic modification of the body), detect the polymorphic behavior (reencryption of the modified body), detect the virus engine behavior (auto-self-replication; injection into a new vector/host), and possible identification of potentially threatening algorithms within the unencrypted body (identification of the warhead).
Stealth virus: While these do go back to the DOS era, modern stealth viruses are a particularly dangerous problem for modern Windows systems. Stealth viruses are by definition a special form of resident virus in that they stay active in RAM and actively monitor system-wide events including the activation of anti-virus software. When they detect that such an event has been undertaken, they take appropriate countermeasures to either avoid detection by the anti-virus software which may include intercepting low-level OS file access and delivery of non-infected versions of the file to the AV engine, or they will take countermeasures to survive the AV scan by hiding out either in RAM or by using some trojan-horse-like maneuver to hide in a single file after the AV has already scanned the file and determined that it is clean. The only known method of defeating a stealth virus is to be 100% certain that it is not active in RAM. The only way to do this is to boot the system from a KGCC alternate OS or from a KGCC disk and then scan and disinfect all files.
KGCC - Known Good/Certified Clean System or Boot Disk: When dealing with a virus on a network, it should be abundantly clear that any system could be infected and therefore it must be assumed that ALL systems at that site have been infected. A virus on a networked machine is a "Site-wide" threat and a "Site-wide" infection until it can be asserted that it is not ... guessing is unacceptable. The only system onsite that can be asserted as uninfected is one that has never been attached to the network with the others. Furthermore, any machine that has been exposed to the Internet without proper defensive countermeasures against malicious code, cannot be asserted as uninfected. A Known Good Certified Clean system is then: a PC that has had a clean install of the OS, and all proper defensive software prior to exposure to the Internet where it was exposed only for the purpose of downloading the latest updates to the OS and the defensive software packages. A Known Good Certified Clean Boot Disk can only originate on a KGCC system and it must be completely write-protected. Such a KGCC would be for example a bootable CD-R which can only be recorded once. Any further attempt to write data to the CD-R will fail making it a perfect write-protected media from which to bootup suspicious hosts.
Signature: The stretch of code that is specific to the virus, either part of the auto-self-replication module (the virus engine), the data damaging component (the warhead), or the decryption/mutation engine, or a combination of these that is unique to the virus.
Signature List or Database: The file or collection of files that hold the signatures for all known viruses. The anti-virus software will use this list by opening each potential vector on the system and scan it byte-by-byte trying to match it against any signature in the database. If a match is found, then the vector has been determined to be infected.
Anti-Virus engine: The program code of the anti-virus software that opens each potential vector and compares its contents with the contents of the virus signature list. Modern AV engines are extremely powerful and sophisticated programs capable of generating an entire virtual PC emulator in RAM where they can release potentially infected files in order to fool a morphic virus into "coming out of hiding" and trying to infect other files within the virtual PC environment that the AV engine has prepared for it. If it does, then the AV engine can identify it as an infected file and sometimes accurately identify which one (in the case of encrypted viruses and polymorphic viruses)
Heuristic Analysis: Modern AV engines all possess heuristic analysis capabilities. Heuristics means "acting like a human" or "thinking machine." In attempting to identify a metamorphic virus, the AV engine has no entry for it in its signature database because one does not exist, because these viruses constantly mutate, changing their form sufficiently that no simple signature exists for them to scan for. As a result, the AV engine must instead, release the potential mutating virus into the virtual PC emulator in RAM and observe for its decryption (polymorphic module), auto-self-mutation (metamorphic module), reencryption (polymorphic module), auto-self-replication (virus module), behavior in order to identify it as a potential threat along with scanning the content while unencrypted, of potentially dangerous program code (the warhead module) again without a fixed template. Because the AV engine must identify these viruses based on their general behavioral traits, they are using a rudimentary form of artificial intelligence in doing so. They are capable of recognizing a general pattern of behavior of the suspected vector which is a distinctly human-like activity that is very difficult for programs to do well.
AV Scan: The main activity of the AV engine in which the software scans the files on the system comparing each one's content with all known virus signatures in its virus signature lists. Modern AV scanners must also create a virtual PC emulator environment in which to release potentially infected files in order to allow polymorphs to decrypt themselves, thus exposing their core signatures for detection, and to observe for such related behaviors in order to use heuristic analysis to identify metamorphs that cannot be detected any other way. AV scans allow the user to choose many options including "full system scans" vs. "scan selected areas" and to scan "all files" vs. "potential threat files". Obviously a system where a virus is suspected should be subjected to a full system scan not just specific areas and such a scan should include all files, not just potential threats which are the most common binary vectors.
Quarantine: In some cases an AV engine cannot be 100% certain that it has identified a virus, or it cannot ascertain with 100% certainty which specific section of the file is actually infected, or it cannot actually delete the affected area of the file due to the countermeasures that the virus is actively engaged in. In any of these scenarios, the AV will announce that it cannot successfully cleanse or inoculate the file and it will offer to quarantine it instead. This means that the file will be copied to a new location and that it will be encrypted by the AV engine. When the user accesses it, the AV engine will decrypt it and allow it to launch into a virtual PC emulation where any destructive activities it attempts will occur within this virtual realm and cause no more damage to any other data on the PC. It should be noted that the virus would have the ability to continue causing damage to the file it has infected. So if the file is important, it should be opened immediately and all data within it should be copied at one time to a new file outside of the quarantine area. The AV engine should then be allowed to scan this new data file to assert that it is clean and that the virus was not copied as well.
Cleanse or disinfect: The AV engine successfully removes all traces of the virus from the file. Sometimes this cannot be accomplished either because the virus is a polymorph and the actual region that it is infecting cannot be accurately determined, or because the file has been infected with a stealth virus which is taking active steps to protect itself within the affected file such as copying itself back into it instantly every time it is cleansed from it, or because the original file has already been partially or totally corrupted by the virus. In such cases the file can either be deleted or quarantined at the discretion of the user.
Inoculation: This term is used by specific AV software to mean one of two things and it is important to determine exactly what the specific AV software means when they use this term: 1) Cleansing an infected vector, or 2) applying active real-time scanning protection to monitor all activity on the host. Obviously the two meanings are totally different and misunderstanding what the AV is trying to do could mean disaster.
Active Real-Time Protection or shield: This is one of the most important features of any good AV software package. The AV runs a small AV engine as a background process, usually visible in the System Tray of Windows, and actively scans all data that is passing through the OS and its applications as it occurs. This includes watching the stream of data arriving at the Network Interface Card as it travels from the device into the Web browser software, watching files that are opened and read and especially watching the data that gets written to any files at any time. If this data matches any pattern in the virus signature database, the operation will be halted and the user will be notified of the threat. It should be noted that each data activity must be scanned against the entire virus signature list, modern lists are exceeding 20 megabytes in size. That is a lot of data to compare against each data event in the system as it occurs. Running a strong and thorough AV shield should as no surprise slow down the overall performance of the system, but no matter how bad the performance is as a result of the AV shield, it is preferable to running the machine unprotected in the presence of high-risk vectors which includes the highest risk one of all: The Internet.
|
|
Spyware and their kin:
Spyware: By definition is any code designed specifically to obtain data from the user without the users knowledge or intervention as opposed to the basic definition of a malicious virus (and their kin) which is designed to destroy the users data. Spyware comes in just about as many varieties as do viruses and sometimes comes packaged as a virus or close relative to them.
Adware: By definition is any code designed to generate advertising directed at the user without the users consent. This includes the introduction of more malicious forms of spyware embedded within other program installers that the user does want, such that the user consents to the installation of the adware or other more malicious spyware agent.
Malware: By definition is any code designed to perform any kind of malicious act against the system or the user: malicious software. Classifications of malicious actions include: damaging data or stealing data. Forms include:
Infectious Malware: viruses, worms
Concealed Malware: trojan horses, "drive-by downloads," phishing
Profit motive malware: adware, web use tracking, stealware, spyware
Corporate spyware: This spyware is installed by the organization purposely to track the activities of the employees especially while they are using the Internet. Companies justify the installation of such packages and the warnings to their employees of its existence to thwart browsing such websites as online gambling sites (illegal in most states) and pornographic websites whose content may be completely illegal (underage models.) Since the FBI tracks all traffic to such sites, the company is protecting itself by discouraging its employees from visiting potentially illegal sites and even detecting it when it happens. The problem lies in the fact that many anti-spyware suites will detect the desired spyware and report it and in some cases even successfully remove it, reopening the problem (unlimited Internet access) to the workstation. This has led many desirable corporate spyware manufacturers to force anti-spyware manufacturers from reporting and disabling their products. This in turn has led spurious individuals to modify these spyware packages which the anti-spyware leaves alone, for their own use.
Phishing: Sending authentic looking email that appears to come from reputable websites to end users using mass emailing techniques known as spamming. When the user clicks on any link in the email, the user has performed a cooperative activity that can be redirected to do any kind of undesirable activity including: download and install malicious code including low-level spyware, trojan horse, virus, etc., redirect the user to the spyware author's site which in turn looks like the authentic site that the email seems to have come from and presents to the user the familiar looking login user name and password boxes. At this point if the user proceeds to login, the spyware author's server records the user name and password for them to use at any time. If the victim was fooled into believing that the website was their bank, the result could be devastating.
Spamming: A particularly overwhelming problem for the modern Internet, spamming is by definition: mass blind emailing. While the primary intention of most spam may be as relatively harmless as its physical mail equivalent - "junk mail" there exist enough malicious versions that all unrecognized email should be deleted immediately. Note: even opening email or any other related message can activate malicious code immediately and should be avoided at all costs. This can include any form of communication that can embed HTML including unknown website links, web-based email of unverifiable origin, or live chat windows invitations or transmissions from unknown people, any of which can be a powerful and dangerous phishing event or even embed devastating malicious code that activates immediately.
"Drive-by downloading": Takes advantage of web browser vulnerabilities to force a surrepticious download from the spyware author's website onto the visitor's system. Actively installing an executable and running it allows this program to accomplish any desired task. It is as powerful and as dangerous as any trojan horse and is one technically speaking. Well known vulnerabilities become known in the malicious code and anti-virus/anti-spyware communities as exploits.
tracking: This form of spyware monitors the users web surfing in order to collect information about the users interests in order to create customized advertisements that will contain items that interest the user greatly improving their likelihood of pursuing them. While many companies, even reputable ones engage in this activity which they argue is just "good marketing" they are nevertheless obtaining private information from the users computer without their knowledge or consent and that is, by definition, spyware.
stealware: Not an end-user concern, but it is definitely a corporate concern. Stealware authors intercept legitimate companies advertisements, either pop-ups or embedded webpage banners redirecting the users who click on them to their own sites instead. They gain from this action either directly by taking credit for the users pursuit of the links to their sites (pay-per-click advertising reimbursements) or by getting the business of the customer rather than the original advertiser.
keylogger: One of the most dangerous forms of spyware, the keylogger program infiltrates the local system and records all keystroke events at the system level and then transmits keystroke logs or transcripts back to the author. The keylogger program itself is a stealth technology that usually either does not appear at all in the Windows Task Manager Active Processes list or appears there under a friendly name alias. The program is usually equipped with enough internal components to be able to engage in delivery of the keystroke transcripts usually by emailing them without the system's help (they can make the transmission by themselves as soon as the system gains access to the Internet.)
rootkit: Another very dangerous form of spyware, the rootkit is a program or group of programs (hence the name rootkit) that establishes administrative level access rights on the compromised system. Rootkits are the next generation evolution of the keylogger in which they infiltrate the system and allow access and control to all information and functions from a distance. That is, once installed a rootkit is usually extremely difficult to detect because it has the highest system privilege level and is capable of forcing the task manager to skip it while displaying the active processes list, it is difficult to remove, because of this privilege level, and it gives a spurious user full access rights remote control of the system.
backdoor: Back doors are security holes purposely designed into software or network systems usually by the maker of the product. The justification is that backdoors allow them to bypass certain security techniques that allow them to identify their users, or detect if the system is registered or pirated, etc. When backdoor information leaks it then becomes a major security risk for the entire product line. Backdoors can also be created by software, notably rootkits, but viruses and trojan horses main objectives are shifting from random data destruction to the delivery systems for creating backdoors for information collection.
vulnerability and exploit: Vulnerabilities are found in software and protocols usually by long trial and error methods undertaken by crackers. Once a vulnerability has been found, this leads to the development of a tool that makes taking advantage of the vulnerability easy, such a tool is called an exploit.
|