Malicious Code

 < Free Open Study > 



Malicious code is defined as software that has the ability to carry out or perform certain unauthorized functions that disrupt or interfere with normal operations on a computing system. There are several general types of malicious code that you must be familiar with for the Security+ exam. You must know the differences and similarities between them. After becoming familiar with these classifications of code and other descriptions, we will move on to the more specific identification of the viruses CompTIA is most likely to expect you to know. Pay attention here! This information is likely to appear on the exam and is very critical to your success.

Viruses

A virus is a program or specific piece of code is that is designed, when executed, to duplicate itself and/or spread itself to other areas of a system or other systems in a networked environment. In general terms, a virus will replicate itself until it uses up all available system resources such as memory or hard drive space. The result of an undetected virus that has infected a system and been successful at achieving its goal is a system that simply will not function. In most cases, the system will end up unavailable to other systems or result in a Denial of Service.

Worms

A worm is a type of virus that gets its name from its inherent ability to spread itself to other networked systems, remain resident in memory, and keep in contact with other segmented pieces of itself until triggered by a certain event to duplicate and spread itself.

Most worm viruses reside in memory, unattached to files, and when triggered, will reproduce themselves until available resources are exhausted. A worm is a self-contained unit or program that is typically spread through e-mail attachments and network connections such as drive mappings.

Note 

It is very important to understand that a worm is a type of virus that can replicate itself. However, worms do not attach to other programs. In other words, worms are not carried by or attached to hosting files.

Trojan Horses

A Trojan horse is a program that appears on the outside to be harmless. It masquerades as an apparent, nondestructive, and innocent application, program, or message. Most Trojan horses carry very dangerous payloads that are often times highly destructive to networks and systems.

Most Trojan horses are hidden in Internet attachments that are often times distributed with e-mail and in the form of jokes, love letters, and misguiding advertisements. One of the most important facts to understand regarding Trojan horses is that they do not replicate or copy themselves. They require actions on the behalf of the user to activate and deliver their dangerous contents. This type of action can be the opening of an attachment or the running of an application.

Note 

It is very important to understand that while worms and viruses duplicate themselves, Trojans do not.

Logic Bombs

As you may recall from your study of Chapters 7 and 8, logic bombs are considered malicious code that are inserted into a operating system or application that is set to 'explode' or go off when triggered by a certain time, date, or event. In simple terms, a logic bomb can be a virus or Trojan horse that activates when certain conditions are met.

Some logic-bomb code is very tricky and hard to detect as it just sits there and waits for certain criteria to be met before activation. Some antiviral scanners have the ability to detect logic bomb code. For the best possible protection from logic bombs, it is suggested that each computer system have individual antivirus software protection, network screening controls be in place, real-time virus protection be enabled, and all e-mail scanning functions are enabled.

Note 

Logic bombs are often left behind by disgruntled former employees with a grudge or a score to settle. In most cases, these bomb planters are technically savvy programmers, developers, or network administrators.

File Infectors

File infectors are viruses that attach themselves to files that can be executed, typically. When the program or application is executed, so is the virus attached to it. The types of viruses usually associate themselves with EXE and COM files.

System or Boot Infectors

System or boot infectors are viruses that are commonly known to attach themselves to and damage system files such as a hard drives Master Boot Record (MBR) or the boot sector on a floppy disk. Simply put, if infected these types of viruses will be triggered when you system is booted from you hard drive or floppy disk. You will most likely end up with a trashed hard drive if you are infected with this older type of virus. You might have to do a low-level format of your hard disk and reload the operating system.

Macro Viruses

A macro virus is a virus that utilizes another application, such as Microsoft Word or Excel, macro code, or programming language to be distributed. Macro viruses are the most common type of viruses. They are considered to be a minimal threat based on the fact they do not infect a system's boot sector or actually infect other programs. Most macro type viruses are designed to insert numbers, characters, words, or phrases into documents or spreadsheets. If you have a good antivirus solution with updated definition files and real time protection activated, most common macro viruses will be detected and cleaned.

Stealth Viruses

A virus with stealth characteristics will hide itself and send bogus responses back to an antiviral software packages scan request in order to avoid detection. In other words, stealth viruses 'lie' to antivirus packages by making sure that certain files are in working order. When a stealth virus attacks, typically, it will make a good copy of a file that it attacks. When a scan request is initiated, the virus will send the good copy of the file to scan package. The original Brain virus was a stealth type virus that would infect a hard drive's boot sector. It would remain memory resident, masquerade itself as a good file and fool the operating system and scanners into believing everything was hunky dory.

A stealth virus can be passed to many systems and files in a networked environment continuously tricking port sniffers and antivirus software scanners. Stealth viruses can infect boot sectors as well as proliferate with the execution of a program or with the simple event of someone opening a folder or file. Typically, stealth viruses receive very high virus threat ratings (these are described shortly).

Polymorphic Viruses

A polymorphic virus possesses the ability to change its own internal code and byte structure as it is being duplicated. This ability to change itself and appear to take on multiple forms of existence is referred to as polymorphism. Viruses that have polymorphic qualities are very difficult to detect by signature scanning antivirus software packages.

Blended Threats

Blended threats are viruses that combine the most lethal characteristics of viruses, worms, and Trojans in order to cause mass destruction and wreak total havoc on a targeted network or system. Blended threats can spread through a network or multiple networks very quickly. They are becoming popular tools among those who wish to cause mass damage. Weak or unprotected networks and systems stand little chance of survival against blended attacks. Blended threats will usually include the following characteristics:

  • They will spread automatically by continuously scanning the Internet for Web servers with open or vulnerable TCP/IP ports.

  • They will usually insert Trojan or logic-bomb code in targeted servers for timed attacks.

  • They will create network shares, change account privileges, and utilize existing network mappings as ways to propagate within an infected network.

Virus Variants

Variants are new viruses or virus strains that take code and sometimes modify the code of existing well-known viruses. Existing well-known viruses are considered somewhat easy to predict and protect against with properly updated and configured quality anti virus software. However, with new strains of viruses constantly being developed and introduced into our electronic world, we must continually remain diligent in order to protect or corporate as well as private (home) electronic jewels. In other words, the major antivirus software manufacturers need to plan for and anticipate the development of virus variations by continuing to create and improve upon virus packages and definitions that can identify malicious core code. Corporate management needs to budget and purchase quality antivirus software and hardware and network security folks must properly configure and manage the gifts they might be blessed with.

Virus variants and their payloads (these will be described shortly) can be compared with terrorist attacks. It is not obvious when, where, or how they may occur but it is quite evident that we must anticipate and prepare for them in order to detour or minimize their effects.

Retroviruses

A retrovirus is designed to attack antivirus software programs first with the intent of passing through undetected. It is not likely that the current Security+ exam will target this definition. However, it is important as a computer security professional that you are aware of what a retrovirus is.

Viruses 'In the wild'

Viruses that are 'in the wild' exist and spread on systems and in networks that are commonly used on a daily basis. Viruses that are wild are also viruses that exist outside of contained and controlled environments, such as registered scientific antivirus research systems. An organization known as The Wild List Organization International maintains a constantly up-to-date list of what viruses that are 'in the wild.' You can learn more about The Wild List Organization International and the 'in the wild' virus list by visiting the following Internet site: http://www.wildlist.org/.

Zoo Viruses

A Zoo virus threat is a threat that only exists in contained, controlled antivirus labs. A Zoo threat, or virus that resides in the Zoo laboratory, is not considered to be a threat to normal everyday systems and networks. In other words, it is not 'in the wild.' Typically, Zoo viruses are used to test the responsiveness of a particular software product that is in development. In other words, researchers will see how a program reacts when viruses are introduced.

Virus Payload

The actual action that a virus carries out is called the virus's payload, which can be either malicious or harmless. Malicious payload could be the reformatting of your hard drive, deletion of certain files, or attempts to access confidential information such as a back account or credit card information that is stored on a system. Harmless payload can be described as a pop-up message that tells you how smart you are or displays some other form of advertisement. Many virus payloads are triggered by a certain date, time, or event. This date, time, or event is known as the payload trigger.

Virus Threat Rating

A virus threat or risk rating is a calculated value that represents the possible level of severity or threat that an identified virus or piece of malicious code represents to a computer system. A virus's risk rating is calculated with several factors in mind. Most often factors such as the number of attacks reported, the ability for a virus to replicate itself and spread, as well as the severity and possible damage that a virus's payload can cause, are used to calculate a virus's severity of threat rating. The major antivirus solution providers such as Symantec and McAfee post the most common, as well as past reported, viruses and their potential threat or risk ratings on their Internet sites.

Malware

Malware is a term that is used loosely to describe unwanted malicious software and other software that is just plain unwelcome. Malware can be viruses, Trojans, or worms. Simply put, Malware is shorthand for malicious code. It is something that produces unwanted, unexpected results.

Spyware

Spyware is a program or piece of software that remains hidden on a system that monitors and logs another system's activities. There are many free as well as commercial spyware programs that you can get which will allow you to secretly record, capture, and store Instant Messaging conversations, e-mails, and other related data. There are also particular spyware-removal software products available that will assist you with the removal of spyware software that might be hidden in your system or somewhere in the labyrinth of your corporate enterprise.

Terminology

It is important that you are familiar with virus naming terminology in order to assist you with the identification of certain virus types. If you surf the Internet for virus names, specifically the sites provided by the major virus software manufactures, you would notice that many of the computer viruses listed include .dr, .enc, @m, or @mm, in their names. For instance, take the virus name W32.Nimda.A@mm. The @mm in this virus's name signifies that this particular virus is a mass mailing worm virus. Please familiarize yourself with the following basic terminology for the exam:

  • .dr: This represents files that are considered to be dropper files. These are programs that drop a virus or worm onto a victim's computer system.

  • .enc: This refers to a file that has been encrypted or encoded. Viruses commonly use these types of files to hide themselves.

  • @m: This refers to mailer worms, which are viruses that attach themselves to mail which the victim sends in order to spread.

  • @mm: This refers to mass-mailer worms, which are viruses that attach themselves to malicious mails and are sent automatically to contacts in an address book.

There are many variations of viruses, worms, and Trojans. Next, we will get specific with our study of malicious code in order to prepare you for the worst.



 < Free Open Study > 



The Security+ Exam Guide. TestTaker's Guide Series
Security + Exam Guide (Charles River Media Networking/Security)
ISBN: 1584502517
EAN: 2147483647
Year: 2003
Pages: 136

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net