Viruses and anti-viruses

A variety of strategies are typically employed. Signature-based detection involves searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known. To counter such so-calledzeroday threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code, or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions. No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can impair a computer's performance. Inexperienced users may also have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives.[1] Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack. Identification methods

Malwarebytes' Anti-Malware version 1.46 - a proprietary freeware antimalware product There are several methods which antivirus software can use to identify malware. Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because

viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.\ Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses. File emulation is another heuristic approach. File emulation involves executing a program in avirtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions. Signature-based detection Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses. As new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.[17]

Heuristics Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition. For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and Trojan.Vundo.B.

While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection."

Rootkit detection Anti-virus software can attempt to scan for rootkits; a rootkit is a type of malware that is designed to gain administrative-level control over a computer system without being detected. Rootkits can change how the operating system functions and in some cases can tamper with the anti-virus program and render it ineffective. Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the operating system. Issues of concern

Unexpected renewal costs Some commercial antivirus software end-user license agreements include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires users to unsubscribe at least 60 days before the expiration of the present subscription while BitDefender sends notifications to unsubscribe 30 days before the renewal. Norton Antivirus also renews subscriptions automatically by default. Problems caused by false positives A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this happens, it can cause serious problems. For example, if an antivirus program is configured to immediately delete or quarantine infected files, a false positive in an essential file can render the operating system or some applications unusable. In May 2007, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot. Also in May 2007, the executable file required by Pegasus Mailwas falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running. Norton anti-virus had falsely identified three releases of Pegasus

Mail as malware, and would delete the Pegasus Mail installer file when that happened. In response to this Pegasus Mail stated: On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favour of alternative, less buggy anti-virus packages.

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access. In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7, rendering it unable to boot, due to an endless boot loop created. In October 2011, Microsoft Security Essentials removed the Google Chrome browser, rival to Microsoft's own Internet Explorer. MSE flagged Chrome as a Zbot banking trojan. When Microsoft Windows becomes damaged by faulty anti-virus products, fixing the damage to Microsoft Windows incurs technical support costs and businesses can be forced to close whilst remedial action is undertaken.

System and interoperability related issues Running multiple antivirus programs concurrently can degrade performance and create conflicts. However, using a concept calledmultiscanning, several companies (including G Dataand Microsoft have created applications which can run multiple engines concurrently. It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Active antivirus protection may partially or completely prevent the installation of a major update. A minority of software programs are not compatible with anti-virus software. For example, the TrueCrypt troubleshooting page reports that anti-virus programs can conflict with TrueCrypt and cause it to malfunction. Support issues also exist around antivirus application interoperability with common solutions like SSL VPN remote access and network access control products. These technology solutions often have policy assessment applications which require that an up to date antivirus is installed and running. If the antivirus application is not recognized by the

policy assessment, whether because the antivirus application has been updated or because it is not part of the policy assessment library, the user will be unable to connect.

Rootkits Detecting rootkits is a major challenge for anti-virus programs. Rootkits have full administrative access to the computer and are invisible to users and hidden from the list of running processes in the task manager. Rootkits can modify the inner workings of the operating systemand tamper with antivirus programs. Damaged files Files which have been damaged by computer viruses are normally damaged beyond recovery. Anti-virus software removes the virus code from the file during disinfection, but this does not always restore the file to its undamaged state. In such circumstances, damaged files can only be restored from existing backups; installed software that is damaged requires re-installation.

Other methods

A command-line virus scanner, Clam AV 0.95.2, running a virus signature definition update, scanning a file and identifying a Trojan Installed antivirus software running on an individual computer is only one method of guarding against viruses. Other methods are also used, including cloud-based antivirus, firewalls and online scanners. Cloud antivirus Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while offloading the majority of data analysis to the provider's infrastructure.

One approach to implementing cloud antivirus involves scanning suspicious files using multiple antivirus engines. This approach was proposed by an early implementation of the cloud antivirus concept called CloudAV. CloudAV was designed to send programs or documents to a network cloud where multiple antivirus and behavioral detection programs are used simultaneously in order to improve detection rates. Parallel scanning of files using potentially incompatible antivirus scanners is achieved by spawning a virtual machine per detection engine and therefore eliminating any possible issues. CloudAV can also perform "retrospective detection," whereby the cloud detection engine rescans all files in its file access history when a new threat is identified thus improving new threat detection speed. Finally, CloudAV is a solution for effective virus scanning on devices that lack the computing power to perform the scans themselves. Network firewall Network firewalls prevent unknown programs and processes from accessing the system. However, they are not antivirus systems and make no attempt to identify or remove anything. They may protect against infection from outside the protected computer or network, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come from network connections into the system and is not an alternative to a virus protection system. Specialist tools

Using rkhunter to scan for rootkits on anUbuntu Linux computer. Virus removal tools are available to help remove stubborn infections or certain types of infection. Examples include Trend Micro's Rootkit Buster,[59] and rkhunter for the detection of rootkits,Avira's AntiVir Removal Tool,[60] PCTools Threat Removal Tool,[61] and AVG's AntiVirus Free 2011. A rescue disk that is bootable, such as a CD or USB storage device, can be used to run antivirus software outside of the installed operating system, in order to remove infections while they are dormant. A bootable antivirus disk can be useful when, for example, the installed operating system is no longer bootable or has malware that is resisting all attempts to be removed by the installed antivirus software. Examples of some of these

bootable disks include the Avira AntiVir Rescue System, PCTools Alternate Operating System Scanner,[ and AVG Rescue CD.[64] The AVG Rescue CD software can also be installed onto a USB storage device, that is bootable on newer compute EICAR EICAR may refer also to the Ecole Internationale de Creation Audiovisuelle et de Ralisation, an international film school in Paris. EICAR, the European Institute for Computer Antivirus Research, was founded in 1991 as an organization aiming to further antivirusresearch and improving development of antivirus software. Recently, EICAR has furthered its scope to include the research of malicious software (malware) other than computer viruses and extended work on other information security topics like content security, Wireless LANsecurity, RFID and information security awareness. Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and otherUnix-like computer operating systems are generally regarded as very well-protected, but not immune, from computer viruses. There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the small number of users running Linux as a desktop operating systemthe malware's lack of root access and fast updates to most Linux vulnerabilities. The number of malicious programs including viruses, Trojans, and other threats specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.

Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or cause any serious consequence to the system itself, the malware would have to gain root access to the system. Shane Coursen, a senior technical consultant with Kaspersky Lab, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to

develop malware for that OS." Rick Moen, an experienced Linux system administrator, counters that: [That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen." Some Linux users run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated: ...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users. Because they are predominantly used on mail servers which may send mail to computers running other operating systems, Linux virus scanners generally use definitions for, and scan for, all known viruses for all computer platforms. For example the open source ClamAV "Detects ... viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats." Viruses and trojan horses The viruses listed below pose a potential, although minimal, threat to Linux systems. If an infected binary containing one of the viruses were run, the system would be infected. The infection level would depend on which user with what privileges ran the binary. A binary run under the root account would be able to infect the entire system. Privilege escalation vulnerabilities may permit malware running under a limited account to infect the entire system. It is worth noting that this is true for any malicious program that is run without special steps taken to limit its privileges. It is trivial to add a code snippet to any program that a user may download and let this additional code download a modified login server, an open mail relay or similar and make this additional component run any time the user logs in. No special malware writing skills are needed for this. Special skill may be needed for tricking the user to run the (trojan) program in the first place. The use of software repositories significantly reduces any threat of installation of malware, as the software repositories are checked by maintainers, who try to ensure that their repository is malware-free. Subsequently, to ensure safe distribution of the software, checksums are made

available. These make it possible to reveal modified versions that may have been introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures provides an additional line of defense, which limits the scope of attacks to include only the original authors, package and release maintainers and possibly others with suitable administrative access, depending on how the keys and checksums are handled. Anti-virus applications

The ClamTk GUI for ClamAV running a scan on Ubuntu 8.04 Hardy Heron There are a number of anti-virus applications available for Linux, most of which are designed for servers, including
           

Avast! (freeware and commercial) AVG (freeware and commercial) Avira (freeware and commercial) CyberSoft VSTK (commercial) Dr.Web (commercial) eScan Anti-Virus for Linux (commercial) Eset (commercial) F-Secure Linux (commercial) Kaspersky Linux Security (commercial) Linux Malware Detect (free open source software) McAfee VirusScan Enterprise for Linux (commercial) NORMAN Norman Security Suite for Linux (commercial)[citation needed]

Threats

The following is a partial list of known Linux malware. However, few if any are in the wild (with the exception of Android malware), and most have been rendered obsolete by Linux updates. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

Trojans
    

Kaiten - Linux.Backdoor.Kaiten trojan horse Rexob - Linux.Backdoor.Rexob trojan Waterfall screensaver backdoor - on gnome-look.org Droiddream[ FakePlayer - Trojan-SMS.AndroidOS.FakePlayer.a

Viruses
          

42 Arches Alaeda - Virus.Linux.Alaeda Bad Bunny - Perl.Badbunny Binom - Linux/Binom Bliss - requires root privileges Brundle[ Bukowsk Caveat Coin Diesel - Virus.Linux.Diesel.962

           

Hasher Kagob a - Virus.Linux.Kagob.a Kagob b - Virus.Linux.Kagob.b Lacrimae (aka Crimea) MetaPHOR (also known as Simile) Nuxbee - Virus.Linux.Nuxbee.1403 OSF.8759 PiLoT Podloso - Linux.Podloso (The iPod virus) RELx Rike - Virus.Linux.Rike.1627 RST - Virus.Linux.RST.a (known for infecting Korean release ofMozilla Suite 1.7.6 and Thunderbird 1.0.2 in September 2005[) Satyr - Virus.Linux.Satyr.a Staog - obsoleted by updates Vit - Virus.Linux.Vit.4096 Winter - Virus.Linux.Winter.341 Winux (also known as Lindose and PEElf) Wit virus ZipWorm - Virus.Linux.ZipWorm

      

Time line of computer viruses and worms

19601969 1966


The work of John von Neumann on the "Theory of self-reproducing automata" is published.[1] The article is based on lectures held by von Neumann at the University of Illinois about the "Theory and Organization of Complicated Automata" back in 1949.

19701979 1971

The Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBN Technologies.[2] Creeper infected DECPDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper.

1974


The Wabbit virus, more a fork bomb than a virus, is written. The Wabbit virus makes multiple copies of itself on a single computer (and was named "Wabbit" for the speed at which it did so) until it clogs the system, reducing system performance, before finally reaching a threshold and crashing the computer.

1974/1975


ANIMAL is written by John Walker for the UNIVAC 1108.[4] Animal asked a number of questions to the user in an attempt to guess the type of animal that the user was thinking of, while the related program PERVADE would create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structure, and not to copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, "Pervading Animal" represents the first Trojan "in the wild". The novel "The Shockwave Rider" by John Brunner is published, that coins the use of the word "worm" to describe a program that propagates itself through a computer network.

19801989 1980


Jrgen Kraus wrote his Diplom thesis "Selbstreproduktion bei Programmen" (selfreproduction of programs

1981

A program called Elk Cloner, written for Apple II systems and created by Richard Skrenta. Apple II was seen as particularly vulnerable due to the storage of its operating system on floppy disk. Elk Cloner's design combined with public ignorance about what malware was and how to protect against it led to Elk Cloner being responsible for the first large-scale computer virus outbreak in history.

1983


The term 'virus' is coined by Frederick Cohen in describing self-replicating computer programs. In 1984 Cohen uses the phrase "computer virus" as suggested by his teacher Leonard Adleman to describe the operation of such programs in terms of "infection". He defines a 'virus' as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." November 10, 1983, at Lehigh University, Cohen demonstrates a virus-like program on a VAX11/750 system. The program was able to install itself to, or infect, other system objects. A very early Trojan Horse designed for the IBM PC called ARF-ARF was downloaded from BBS sites and claimed to Sort the DOS Diskette Directory. This was a very desirable feature because DOS didnt list the files in alphabetical order in 1983. Instead, the program deleted all of the files on the diskette, cleared the screen and typed ARF ARF. ARF was a reference to the common Abort, Retry Fail message you would get when a PC could not boot from a diskette.

1984 Ken Thompson publishes his seminal paper, Reflections on Trusting Trust, in which he describes how he modified a C compiler so that when used to compile a specific version of the Unix operating system, it inserted a backdoor into the login command, and when used to compile itself, it inserted the backdoor insertion code, even if neither the backdoor nor the backdoor insertion code were present in thesource code. 1986


January: The Brain boot sector virus (aka Pakistani flu) is released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.

December 1986: Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.

1987


Appearance of the Vienna virus, which was subsequently neutralizedthe first time this had happened on the IBM platform Appearance of Lehigh virus, boot sector viruses such as Yale from USA, Stoned from New Zealand, Ping Pong from Italy, and appearance of first self-encrypting file virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and has never been found elsewhere as a result. A subsequent infection of Cascade in the offices of IBM Belgium led to IBM responding with its own antivirus product development. Prior to this, antivirus solutions developed at IBM were intended for staff use only. October: The Jerusalem virus, part of the (at that time unknown) Suriv family, is detected in the city of Jerusalem. Jerusalem destroys all executable files on infected machines upon every occurrence of Friday the 13th (except Friday 13 November 1987 making its first trigger date May 13, 1988). Jerusalem caused a worldwide epidemic in 1988. November: The SCA virus, a boot sector virus for Amigas appears, immediately creating a pandemic virus-writer storm. A short time later,SCA releases another, considerably more destructive virus, the Byte Bandit. December: Christmas Tree EXEC was the first widely disruptive replicating network program, which paralysed several international computer networks in December 1987.

1988


March 1: Ping-Pong virus is a boot sector virus. It was discovered at University of Turin in Italy. June: The Festering Hate Apple ProDOS virus spreads from underground pirate BBS systems and starts infecting mainstream networks. November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.

1989


October 1989: Ghostball, the first multipartite virus, is discovered by Fririk Sklason.

19901999 1990


Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burger develops the first family of polymorphic virus: the Chameleon family. Chameleon series debuted with the release of 1260.[10][11][12]

1992


Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped according to mass media hysteria surrounding the virus. Later assessments of the damage showed the aftermath to be minimal.

1993


"Leandro & Kelly" and "Freddy Krueger" spread quickly due to popularity of BBS and shareware distribution

1994


OneHalf is a DOS-based polymorphic computer virus.

1995


The first Macro virus, called "Concept," is created. It attacked Microsoft Word documents.

1996


"Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine

1998


June 2: The first version of the CIH virus appears.

1999


Jan 20: The Happy99 worm first appeared. It invisibly attaches itself to emails, displays fireworks to hide the changes being made, and wishes the user a happy New Year. It

modifies system files related to Outlook Express and Internet Explorer (IE) on Windows 95 andWindows 98.


March 26: The Melissa worm was released, targeting Microsoft Word and Outlook-based systems, and creating considerable network traffic. June 6: The ExploreZip worm, which destroys Microsoft Office documents, was first detected. December 30 Kak worm is a Javascript computer worm that spread itself by exploiting a bug in Outlook Express.

2000 and later 2000



May: The ILOVEYOU worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm written in VBScript. It infected millions of computers worldwide within a few hours of its release. It is considered to be one of the most damaging worms ever. It originated in the Philippines; made by ONEL DE GUZMAN an AMA Computer College student for his thesis.

September: teenage hacker Jonathan James becomes first juvenile to serve jail time for hacking.

2001


February 11: The Anna Kournikova virus hits e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook addressbook. Its creator, Dutchman Jan de Wit, was sentenced to 150 hours of community service. May 8: The Sadmind worm spreads by exploiting holes in both Sun Solaris and Microsoft IIS. July: The Sircam worm is released, spreading through Microsoft systems via e-mail and unprotected network shares. July 13: The Code Red worm attacking the Index Server ISAPI Extension in Microsoft Internet Information Services is released.

August 4: A complete re-write of the Code Red worm, Code Red II begins aggressively spreading onto Microsoft systems, primarily in China. September 18: The Nimda worm is discovered and spreads through a variety of means including vulnerabilities in Microsoft Windows and backdoors left by Code Red II and Sadmind worm. October 26: The Klez worm is first identified. It exploits a vulnerability in Microsoft Internet Explorer and Microsoft Outlook and Outlook Express.

2002


February 11:[18] Simile (computer virus) is a metamorphic computer virus written in assembly. Beast is a Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool). It is capable of infecting almost all versions of Windows OS. Written in Delphi and released first by its author Tataye in 2002, its most current version was released October 3, 2004 March 7: Mylife (computer worm) is a computer worm that spread itself by sending malicious emails to all the contacts in Microsoft Outlook. August 30: Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K.

2003


January 24: The SQL slammer worm, aka Sapphire worm, Helkern and other names, attacks vulnerabilities in Microsoft SQL Server andMSDE and causes widespread problems on the Internet. April 2: Graybird is a Trojan also known as Backdoor.Graybird. June 13: ProRat is a Turkish-made Microsoft Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool). August 12: The Blaster worm, aka the Lovesan worm, rapidly spreads by exploiting a vulnerability in system services present on Windows computers. August 18: The Welchia (Nachi) worm is discovered. The worm tries to remove the blaster worm and patch Windows. August 19: The Sobig worm (technically the Sobig.F worm) spreads rapidly through Microsoft systems via mail and network shares.

 

 

September 18: Swen is a computer worm written in C++. October 24: The Sober worm is first seen on Microsoft systems and maintains its presence until 2005 with many new variants. The simultaneous attacks on network weakpoints by the Blaster and Sobig worms cause massive damage. November 10: Agobot is a computer worm that can spread itself by exploiting vulnerabilities on Microsoft Windows. Some of the vulnerabilities are MS03-026 and MS05039. November 20: Bolgimo is a computer worm that spread itself by exploiting a buffer overflow vulnerability at Microsoft Windows DCOM RPC Interface.

2004


January 18: Bagle (computer worm) is a mass-mailing worm affecting all versions of Microsoft Windows. There were 2 variants of Bagle worm, they were Bagle.A and Bagle.B. Bagle.B was discovered on February 17, 2004. Late January: MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm. February 16: The Netsky worm is discovered. The worm spreads by email and by copying itself to folders on the local hard drive as well as on mapped network drives if available. Many variants of the Netsky worm appeared. March 19: The Witty worm is a record-breaking worm in many regards. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm, it was the first internet worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts. May 1: The Sasser worm emerges by exploiting a vulnerability in LSASS and causes problems in networks, while removing MyDoom andBagle variants, even interrupting business. June 15: Caribe or Cabir is a computer worm that is designed to infect mobile phones that run Symbian OS. It is the first computer worm that can infect mobile phones. It spread itself through Bluetooth. More information can be found on and August 16: Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor Trojan Horse that infects Windows NT family systems (Windows 2000, Windows XP, Windows 2003). August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan Horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including

performance degradation and denial of service with some websites including Google and Facebook.


October 12, 2004: Bifrost, also known as Bifrose, is a backdoor trojan which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attack. December: Santy, the first known "webworm" is launched. It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading.

2005


August 16:[31] Zotob (computer worm) is a worm that spread itself by exploiting Microsoft Windows Plug and Play Buffer Overflow (MS05-039). October 13: The Samy XSS worm becomes the fastest spreading virus by some definitions as of 2006. Late 2005: The Zlob Trojan, also known as Trojan.Zlob, is a trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005. 2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the Internet.

2006


January 20: The Nyxem worm was discovered. It spread by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files. February 16: discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced. Late March: Brontok variant N was found in late March. Brontok was a mass-email worm and the origin for the worm was from Indonesia. Late September: Stration or Warezov worm first discovered.

2007


January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, and it had compromised between 1 and 10 million computers by September. Thought to have originated from Russia, it disguises itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film. July: Zeus is a Trojan horse that steals banking information by keystroke logging.

2008


February 17: Mocmex is a trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame. The virus was traced back to a group in China. March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse that affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer. May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least July 6: Bohmini.A is a configurable remote access tool or trojan that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2. July 31: The Koobface computer worm targets users of Facebook and MySpace. New variants constantly appear. November 21: Computer worm Conficker infects anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. The French Navy,[40] UK Ministry of Defence (including Royal Navy warships and submarines), Sheffield Hospital network,[42] German Bundeswehr[43] and Norwegian Police were all affected. Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s).[44] Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29

December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. On December 16, 2008, Microsoft releases KB958644


patching the server service vulnerability responsible for the spread of Conficker.

2009


July 4: The July 2009 cyber attacks occur and the emergence of the W32.Dozor attack the United States and South Korea. July 15: Symantec discovered Daprosy Worm. Said trojan worm is intended to steal online-game passwords in internet cafes. It could, in fact, intercept all keystrokes and send them to its author which makes it particularly a very dangerous worm to infect B2B (business-to-business) systems.

2010


February 18: Microsoft announced that a BSoD problem on some Windows machines which was triggered by a batch of Patch Tuesdayupdates was caused by the Alureon trojan. June 17: Stuxnet, a Windows trojan, was detected. It is the first worm to attack SCADA systems. There are suggestions that it was designed to target Iranian nuclear facilities. It uses a valid certificate from Realtek.[50] September 9: The virus, called "here you have" or "VBMania", is a simple Trojan Horse that arrives in the inbox with the odd-but-suggestive subject line "here you have". The body reads "This is The Document I told you about, you can find it Here" or "This is The Free Download Sex Movies, you can find it Here". September 15: The Virus called Kenzero is a virus that spreads online from Peer to peer (P2P) sites taking browsing history

2011


SpyEye and Zeus merged code is seen. New variants attack mobile phone banking information. Anti-Spyware 2011, a trojan which attacks Windows 9x, 2000, XP, Vista, and Windows 7, posing as an anti-spyware program. It actually disables security-related process of antivirus programs, while also blocking access to the Internet which prevents updates.

The Morto worm emerged in the summer of 2011. It attempts to propagate itself to additional computers via the Remote Desktop Protocol(RDP). Morto spreads by forcing infected systems to scan for servers allowing RDP login. Once Morto finds an RDPaccessible system, it attempts to log in to a domain or local system account named 'Administrator' using a number of common passwords. A detailed overview of how the worm worksalong with the password dictionary Morto useswas done by Imperva.

Sandbox (computer security)

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, oruntrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.[1] The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization. Examples Some examples of sandboxes are:


Applets are self-contained programs that run in a virtual machine or scripting language interpreter that does the sandboxing. In application streaming schemes, the applet is downloaded onto a remote client and may begin executing before it arrives in its entirety. Applets are common in web browsers, which use the mechanism to safely execute untrusted code embedded in web pages. Three common applet implementationsAdobe Flash, Java applets and Silverlightprovide (at minimum) a rectangular window with which to interact with the user and some persistent storage (at the user's permission). A jail is a set of resource limits imposed on programs by the operating system kernel. It can include I/O bandwidth caps, disk quotas, network access restrictions and a restricted filesystem namespace. Jails are most commonly used in virtual hosting.