Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded file, or diskette you've received is usually unaware that it contains a virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm. File Viruses (Parasitic Viruses) File viruses are pieces of code that attach themselves to executable files, driver files or compressed files, and are activated when the host program is run. Some file infector viruses attach themselves to program files, usually selected .COM or .EXE files. Some can infect any program for which execution is requested, including .SYS, .OVL, .PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly-contained programs or scripts sent as an attachment to an e-mail note. Boot Sector Viruses A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all information about the drive is stored, along with a program that makes it possible for the operating system to boot up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which eventually stopped such viruses from spreading. Multipartite Viruses Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the virus infects executable files on the hard drive and spreads across the system. Macro Viruses Macro viruses infect files that are created using certain applications or programs that contain macros. These include Microsoft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations, Access databases, and other similar application files such as Corel Draw, AmiPro, etc. Since macro viruses are written in the language of the application, and not in that of the operating system, they are known to be platform-independentthey can spread between Windows, Mac, and any other system, so long as theyre running the required application. With the ever-increasing capabilities of macro languages in applications, and the possibility of infections spreading over networks, these viruses are major threats. The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today, there are thousands of macro viruses in existencesome examples are Relax, Melissa.A and Bablas.
2 Network Viruses This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet. E-mail Viruses An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software. One of the most common and destructive e-mail viruses is the ILOVEYOU virus.
Worm: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A
copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.
3 The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own accord through network connections.
COMMON SYMPTOMS Your computer always stops responding when you try to use certain software. This could also take place due to corruption of an essential file required by that software. You received an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear, or a sudden degradation in system performance occurs. There is a double extension on an attachment that you recently opened, such as .jpg .vbs or .gif. exe. An anti-virus program is disabled for no reason and it cannot be restarted. The computer may not allow reinstallation of the anti-virus. Strange dialog boxes or message boxes appear on the screen. Someone tells you that they have recently received e-mail messages from you containing infected attached files, and you are sure you never sent any such mails. New icons that you did not place on the Desktop appear, and are not associated with any recently installed programs. Strange sounds or music plays from your speakers unexpectedly. A program disappears from the computer, and you didnt uninstall it. Windows will not start because certain critical system files are missing, and you receive error messages listing those files. The computer starts as expected some of the time, but at other times, stops responding before the desktop icons and taskbar appear. The computer runs very slowly and it takes a long time to start. Out-of-memory error messages appear, even though your computer has plenty of RAM. New programs do not install properly. Windows restarts unexpectedly. Programs that used to run now stop responding frequently. If you try to remove and reinstall the software, the issue continues to occur. A partition completely disappears.
5
8. Sasser and Netsky Unusually, authorities were able to track this pair of worms. 17 year old German, Sven Jaschan, repeated some codes in both. Sasser attacked through a Microsoft Windows weakness, scanning for random IP addresses. Netsky went through emails with spoofs, causing DoS attacks through huge volumes of traffic. Svenson escaped prison, getting twenty months on probation as he was a minor when arrested. 9. Leap-A/Oompa-A Virus In general most Mac users feel relatively relaxed about the safety of their machines. Because Apple produce both hardware and software, the systems are closed or obscure. There are also fewer Macs than PCs so hackers dont have such a big target to hit. However, in 2006 hackers got in through iChat instant messaging program with a corrupted file that looked like an innocent JPEG image. As Macs become more common, there will be more attacks on their integrity. 10. Storm Worm This virus was named after the fact that an email message carrying it was headed 230 dead as storm batters Europe. Fake headings about current news are what trick most users into opening the dangerous email. As there was already a 2001 W32.Storm.Worm virus, companies like McAfee called it Nuwar and Symantec called it Peacomm. Whatever its called, its a trojan horse in several different forms. Persons behind it can control infected computers which behave like zombies or bots. It can create a botnet to send mass spam. 11. Click Jacking Operation Ghost Click was the FBIs code for a two year investigation (2009-2011) that has just caught six Estonians (and a Russian has not yet been caught). They ran a network of more than 4 million infected computers in 100 countries that rerouted users from big name websites like Amazon and Apple iTunes, to sites that were pure advertising. The gang received a referral fee every time it happened. Federal law officers labelled them international cyber-bandits who netted about 9 million over four years gave new meaning to the term false advertising. The crime has also confirmed a new word in web speak language, click jacking. 12. Happy99 Also known as Ska, the virus spread through email attachments. Once infected, animated fireworks and a Happy New Year message were shown. 13. Creeper The Creeper virus would look for a machine on the network, transfer to it, and display the message Im the creeper, catch me if you can!
Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach. Virus dictionary approach In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file. To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send
6
their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries. Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis. Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary. Suspicious behavior approach The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do. Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti virus software uses this technique less and less. Other ways to detect viruses Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives. Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans. Issues of concern Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc. User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of antivirus software. Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread. The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses. There are various methods of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses. Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.