Vous êtes sur la page 1sur 8

Group #3

Malwares

Malicious Software Consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered to be malware based on the perceived intent of the creator rather than any particular features. TYPES OF MALWARES

I.

Computer Viruses
Is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. . Viruses attached themselves to executable files and replicates when the infected program is executed. Types of Viruses

1. Nonresident Virus Once activated this type of virus immediately searches for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. It consists of two modules: The Finder Module Is responsible for finding new files to infect. The Replication Module Is responsible for replication and infection to every new file the finder module finds. 2. Resident Virus Do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. This Type of virus infects every suitable program that is executed on the computer because the replication module is called every time the operating system executes a file. The virus loads the replication module into memory when it is executed instead

Group #3

Malwares

and ensures that this module is executed each time the operating system is called to perform a certain operation. Categories of Resident Viruses Fast infectors - are designed to infect as many files as possible. Infects every potential host that is accessed. Fast infectors rely on their fast infection rate to spread. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Slow infectors - Designed to infect hosts infrequently. Only infect files when they are copied. Designed to avoid detection by limiting their actions. Examples of Viruses: CREEPER VIRUS-The Creeper would start to print a file, but then stop, find another Tenex system, open a connection, pick itself up and transfer to the other machine (along with its external state, files, etc.), and then start running on the new machine, displaying the message Im the creeper virus, catch me if you can. Elk Cloner - is one of the first known microcomputer viruses that spread outside the computer system or lab in which it was written. It was written around 1982 by a 15-year-old high school student named Rich Skrenta for Apple II systems. The first large-scale self-spreading personal computer virus ever created Elk Cloner spread by infecting the Apple II operating system using a technique now known as a "boot sector" virus. If a computer booted from an infected floppy disk, a copy of the virus was placed in the computer's memory. When an uninfected disk was inserted into the computer, Elk Cloner would be copied to the disk, allowing it to spread from disk to disk.[5]

An infected computer would display a short poem on every 50th boot: Elk Cloner: The program with a personality It will get on all your disks It will infiltrate your chips Yes, it's Cloner! It will stick to you like glue It will modify RAM too Send in the Cloner.

Group #3

Malwares

Metamorphic Viruses Are computer viruses that use a metamorphic code, a code that reprograms its self. It translates its own code to a temporary representation, edits the representation and rewrites itself to normal again. The result is that the "children" will never look like their "parents". The computer viruses that use this technique do this in order to avoid the pattern recognition of anti-virus software: the actual algorithm does not change. Examples: Win32/Simile (also known as Etap and MetaPHOR) is a metamorphic computer virus written in assembly language for Microsoft Windows. The virus was released in the most recent version in early March 2002. It was written by the virus writer Mental Driller. When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on the 17th of March, June, September, or December, a message is displayed. Zmist (Zombie.Mistfall) is a metamorphic computer virus created by the Russian virus writer known as Zombie. It was the first virus to use a technique known as "code integration". This virus supports a unique new technique: code integration. The Mistfall engine contained in it is capable of decompiling Portable Executable files to [their] smallest elements, requiring 32 MB of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. II. Worms

Is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention; it does not need to attach itself to an existing program unlike a computer virus. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Worms can cause major disruption by increasing network traffic. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address.

Group #3

Malwares

The Morris worm Was considered the first created worm, it was one of the first computer worms distributed via the Internet. ExploreZip,I-Worm.ZippedFiles Is a destructive computer worm which attacks machines running Microsoft Windows. Distributed via Email which reads: Hi! I have received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs. Bye!

The message includes an attachment with the name ZIPPED_FILES.EXE. If opened, a dialog box appears in Windows resembling the one normally appearing when opening a corrupted Zip archive, while the worm copies itself onto the machine's hard drive. It also modifies the WIN.INI file (Windows 9x) or the Windows Registry (Windows NT) so that it re-executes on reboot. The worm looks for a copy of Microsoft Outlook to mail itself to all other people in the user's address book and also destroys Microsoft Office documents and C and C++ source files on the user's hard-drive by overwriting them with zero-byte files. Worms with good intention The nachia worm a computer worm that exploits vulnerability in the Microsoft Remote procedure call (RPC). It tries to download and install security patches from Microsoft, so it is classified as a helpful worm. Infected computers automatically began downloading Microsoft security updates for Windows without the users' consent and automatically rebooted the computers. One of these updates was, incidentally, the patch that fixed the exploit. The I love you worm The worm is written using Microsoft Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of registry keys so the worm is initialized on system boot. The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT,

Group #3

Malwares

*.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension. The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also adds registry keys that direct the Windows operating system to download and execute a password-stealing trojan variously called "WIN-BUGSFIX.EXE" or "Microsoftv25.exe."

The worm originated in the Philippines on 4 May 2000 created by Reomel Lamores and Onel De Guzman. It was considered the most virulent computer virus that it caused an estimated $5.5 billion in damage. Since there were no laws in the Philippines against writing malware at the time, both Lamores and de Guzman were released with all charges dropped by state prosecutors. To address this legislative deficiency, the Philippine Congress enacted Republic Act No. 8792.

III.

Trojan Horses

Is a destructive program that masks itself as an application. It does not replicate itself like computer viruses does. A Trojan may allow a hacker remote access to a target computer system. Once a Trojan has been installed, the hacker may have access to the computer remotely and perform various operations, limited by user privileges on the target computer system and the design of the Trojan. Operations that could be performed by a hacker on a target computer system include:

Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks) Data theft (e.g. retrieving passwords or credit card information) Installation of software, including third-party malware Downloading or uploading of files on the user's computer Modification or deletion of files Keystroke logging Watching the user's screen Crashing the computer Anonymizing internet viewing

Trojan horses in this way require interaction with a hacker to fulfill their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. It is possible for individual hackers to scan computers on a network using a port scanner in the

Group #3

Malwares

hope of finding one with a malicious Trojan horse installed, which the hacker can then use to control the target computer. Kinds of Trojans The Remote Access Trojans(RAT) If installed the attacker gains full access over the victims computer. The attacker can go through the files and access any personal information about the user that may be stored in the files such as credit card numbers, passwords and vital financial documents. Password Sending Trojan Copies all the cached passwords and look for other passwords as you key them into your computer. These actions are performed without the awareness of the users. Key Loggers The Trojan logs the victims keystrokes and then send the log files to the attacker. Comes in two function offline recording online recording Destructive Trojan Destroys and delete files from the victims computers. It can automatically delete all the core system files of the computer. Denial of Service(DOS) attack Trojans produces a lot of internet traffic on the victims computer or server, internet connection becomes congested to let anyone visit a website. Proxy/wingate Trojan the infected computer becomes accessible to the entire globe to be used for anonymous access to a variety of unsafe internet service. IV. Spyware

Is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet connection or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is provided by the term privacy-invasive software. An affected machine usually has multiple infections. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failures to boot, and system-wide crashes, are also common. Spyware, which interferes with networking software, commonly causes difficulty connecting to the Internet.

Group #3

Malwares

Examples of spywares:

CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites. Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites. HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX driveby download at affiliate Web sites, or by advertisements displayed by other spyware programsan example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements. Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay. The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers." WeatherStudio has a plugin that displays a window-panel near the bottom of a browser window. The official website notes that it is easy to remove WeatherStudio from a computer, using its own uninstall-program, such as under C:\Program Files\WeatherStudio.[36] Once WeatherStudio is removed, a browser returns to the prior display appearance, without the need to modify the browser settings. Zango - transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies (as seen in their [Zango End User License Agreement]).

Preventive Measures of Infections


ANTI-VIRUS:

You should have only ONE antivirus program on your computer. If you have more than

Group #3

Malwares

one antiviral, they will conflict and offer less protection, not more. Only install a free antivirus if you do not already have an antivirus program (ie. McAfee, Norton, Kaspersky) that you update at least once a week to protect you from newly emerging variants.
ANTI-ADWARE:

SPYWARE PROTECTION:

Ad-aware: "Ad-Aware is designed to provide advanced protection from known Data-mining, aggressive advertising, Parasites, Scumware, selected traditional Trojans, Dialers, Malware, Browser hijackers, and tracking components."

Prevent the installation of spyware and other potentially unwanted software. (e.g. Spyware blaster) SpywareGuard: SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Additional Programs for Resistant Infections Anti-Trojan: The Cleaner,Trojan Hunter, TDS, Trojan Scan Online Scanner. Some of these programs are not freeware, but offer free trial periods and may be either purchased or uninstalled when the trial expires. Online scans: Trend Micro Housecall, Trend Micro Spyware Scan, Panda Active Scan, BitDefender (see "scan online"). More info about online scans. Ewido Security Suite McAfee AVERT Stinger A-Squared CWShredder