General characteristics of computer virus neutralization tools. Classification of viruses


General characteristics of computer virus neutralization tools

The most common means of neutralizing computer viruses are anti virus programs(antiviruses). Antiviruses, based on the approach to identifying and neutralizing viruses implemented in them, are usually divided into the following groups (Fig. 8.2):

Detectors;

Vaccines;

Vaccinations;

Auditors;

Monitors.


Detectors Antiviruses Monitors
Phages Auditors
Vaccines Vaccinations

Rice. 8.2 Classification of antiviruses

Detectors provide virus detection by viewing executable files and searching for so-called signatures - stable sequences of bytes found in the bodies of known viruses. The presence of a signature in a file indicates that it is infected with the corresponding virus. An antivirus that provides the ability to search for various signatures is called polydetector.

Phages perform functions typical of detectors, but, in addition, “cure” infected programs by “biting” viruses out of their bodies. By analogy with polydetectors, phages focused on neutralizing various viruses are called polyphages.

Unlike detectors and phages vaccines in their principle of action they are similar to viruses. The vaccine is implanted into the protected program and remembers a number of quantitative and structural characteristics of the latter. If the vaccinated program was not infected at the time of vaccination, then the following will happen at the first launch after infection. Activation of the virus carrier will lead to control of the virus, which, having fulfilled its target functions, will transfer control to the vaccinated program. In the latter, in turn, the vaccine will first receive control, which will check the conformity of the characteristics it remembers with the similar characteristics obtained in this moment. If the specified sets of characteristics do not match, then a conclusion is made that the text of the vaccinated program has been modified by the virus. The characteristics used by vaccines may be the length of the program, its checksum, etc.

Operating principle vaccinations is based on taking into account the fact that any virus, as a rule, marks the infected programs with some attribute in order to prevent them from being re-infected. Otherwise, multiple infections would occur, accompanied by a significant and therefore easily detectable increase in the volume of infected programs. The vaccination, without making any other changes to the text of the protected program, marks it with the same sign as the virus, which thus, after activating and checking the presence of the specified sign, considers it infected and “leave it alone.”

Auditors provide monitoring of the state of the file system, using an approach similar to that implemented in vaccines. During its operation, the audit program performs, for each executable file, a comparison erg of the current characteristics with similar characteristics obtained during the previous file review. If it is discovered that, according to the available system information, the file has not been updated by the user since the previous viewing, and the compared sets of characteristics do not match, then the file is considered infected. The characteristics of executable files obtained during the next review are stored in a separate file (files), and therefore the increase in the length of executable files that occurs during vaccination does not occur in this case. Another difference between auditors and vaccines is that each inspection of executable files by the auditor requires it to be restarted.

Classification

Nowadays, there are many varieties of viruses, differing in the main method of distribution and functionality. If initially viruses were distributed on floppy disks and other media, now viruses spreading via the Internet dominate. The functionality of viruses, which they adopt from other types of programs, is also growing.

Currently, there is no unified system for classifying and naming viruses.

Classification according to affected objects:

1. Boot viruses - run when the computer boots and infect the program bootstrap, stored in the boot sector of a floppy disk or hard drive.

2. File viruses - attach themselves to a file or program, and are activated each time the file is used. Can be distributed through document files ( Microsoft Office Word, Excel, etc.), not to modify them, but only to have some relation to them.
Classification of file viruses by infection method:

o Rewriting viruses - viruses of this type write their body instead of the program code, without changing the name of the executable file, as a result of which the original program stops running. When a program is launched, the virus code is executed, not the program itself.

o Companion viruses - like overwrite viruses, they create a copy of themselves in place of the infected program, but unlike overwrite viruses, they do not destroy the original file, but rename or move it. When a program is launched, the virus code is first executed, and then control is transferred to the original program.

o File worms - create copies of themselves with names that are attractive to the user (for example, Game.exe, install.exe, etc.) in the hope that the user will launch them.

o Link viruses - do not change the program code, but force the operating system to execute its own code, changing the location address on the disk of the infected program to its own address. After the virus code is executed, control is usually transferred to the program called by the user.

o Viruses that infect the source code of programs - viruses of this type infect the source code of the program or its components (.OBJ, .LIB, .DCU), as well as VCL and ActiveX components. After compilation, the programs are built into it.

o Viruses without an entry point - these include viruses that do not write control transfer commands into the header of COM files (JMP) and do not change the address of the start point in the header of EXE files. Such viruses write a command to transfer their code to some place in the middle of the file and receive control not directly when the infected file is launched, but when calling a procedure containing code for transferring control to the virus body. Moreover, this procedure can be performed extremely rarely (for example, when a message about a specific error is displayed).

3. Script viruses - written in various script languages ​​- BATCH, PHP, JS, VBS. There are both harmless species and dangerous ones. Dangerous ones may have the task (in the absence of an antivirus program) to destroy all information on the hard drive. These viruses can be placed both on Internet sites and in documents (there are even similarities with network worms).

4. Macro viruses are programs in languages ​​built into many data processing systems ( text editors, spreadsheets etc.). To reproduce, such viruses use the capabilities of macro languages ​​and, with their help, transfer themselves from one infected file (document or table) to others. The most widespread are macro viruses for Microsoft Word, Excel and Office97. There are also macro viruses that infect Ami Pro documents and Microsoft Access databases.

5. Network worms - spread in local and global computer networks as a whole, without pumping up their parts over the network. Often, worms, even without any payload, overload and temporarily disable networks simply due to their intensive spread.

Classification by affected operating systems and platforms:

1. DOS viruses

2. Microsoft Windows

Classification according to the technologies used by the virus:

1. Polymorphic viruses - viruses that use a technique that makes it difficult to detect a computer virus using scan lines and, possibly, heuristics. Polymorphism consists in the formation of the virus code during execution, while the procedure itself that generates the code should also not be constant and is modified with each new infection.

2. Stealth viruses - a virus that completely or partially hides its presence in the system by intercepting calls to the operating system that read, write, read additional information about infected objects (boot sectors, file system elements, memory, etc.) .

Classification according to the language in which the virus is written:

1. Assembler

2. High-level language

3. Scripted

Classification according to destructive capabilities:

1. Harmless viruses - viruses that do not affect the operation of the computer in any way (except for reducing the free memory on the disk as a result of their spread).

2. Non-dangerous viruses – viruses whose influence is limited by reducing free memory on the disk and graphic, sound and other effects.

3. Dangerous viruses – viruses that can cause serious malfunctions in your computer.

4. Very dangerous viruses - viruses whose algorithm of operation contains procedures that can lead to the loss of programs, destroy data, and erase information necessary for the operation of the computer recorded in system memory areas.

Other “malware”:

1. Trojan horses - a malicious program that penetrates a computer under the guise of a harmless one - a codec, screensaver, hacker software, etc. Trojan horses do not have their own propagation mechanism, and this differs from viruses, which spread by attaching themselves to harmless software or documents, and worms, which copy themselves over the network, but a Trojan program can carry a viral body - then the person who launched the Trojan becomes to the source of “infection”.

2. Hidden administration utilities – Trojan horses of this class are essentially quite powerful utilities for remote administration of computers on a network. In their functionality, they are in many ways reminiscent of various administration systems developed and distributed by various software product manufacturers. Once installed on a computer, hidden control utilities allow you to do everything with the computer that their author intended: receive/send files, run and destroy them, display messages, erase information, restart the computer, etc. As a result, these Trojans can be used to detect and transmit confidential information, launch viruses, destroy data, etc. – affected computers are open to malicious actions by hackers.

3. Intended viruses - these viruses include programs that at first glance are 100% viruses, but are not able to reproduce due to errors. For example, a virus that, when infected, “forgets” to place a command to transfer control to the virus code at the beginning of the files, either writes the wrong address of its code into it, or incorrectly sets the address of the intercepted interrupt, etc.

Distribution mechanism

Viruses spread by copying their body and ensuring its subsequent execution: introducing themselves into the executable code of other programs, replacing other programs, registering themselves in autorun, and more. A virus or its carrier can be not only programs containing machine code, but also any information containing automatically executed commands - for example, batch files and Microsoft Word and Excel documents containing macros. In addition, to penetrate a computer, a virus can use vulnerabilities in popular software (for example, Adobe Flash, Internet Explorer, Outlook), for which distributors inject it into ordinary data (pictures, texts, etc.) together with an exploit that uses vulnerability.

Exploit, exploit, will rally(English) exploit, exploit) is computer program, a piece of software code or a sequence of commands that exploits vulnerabilities in software and is used to carry out an attack on a computer system. The purpose of the attack can be either to seize control of the system (privilege escalation) or to disrupt its functioning (DoS attack).

Channels

  • Floppy disks. The most common channel of infection in the 1980-1990s. Now practically absent due to the emergence of more common and efficient channels and the lack of floppy drives on many modern computers.
  • Flash drives (flash drives). Currently, USB flash drives are replacing floppy disks and repeating their fate - a large number of viruses spread through removable storage devices, including digital cameras, digital video cameras, digital players (MP3 players), and since the 2000s they have played an increasingly important role Cell phones , especially smartphones. The use of this channel was previously primarily driven by the ability to create special file autorun.inf, in which you can specify the program that Windows Explorer starts when you open such a drive. In Windows 7, the ability to autorun files with portable media was disabled.
  • Email. Typically, viruses in emails are disguised as harmless attachments: pictures, documents, music, links to websites. Some emails may actually only contain links, that is, the emails themselves may not contain malicious code, but if you open such a link, you can get to a specially created website containing virus code. Many email viruses, once on a user's computer, then use the address book from the installed mail clients like Outlook for sending yourself further.
  • Instant messaging systems. It is also common here to send links to supposedly photos, music or programs that are actually viruses via ICQ and other instant messaging programs.
  • Web pages. Infection through Internet pages is also possible due to the presence of various “active” content on World Wide Web pages: scripts, ActiveX components. In this case, vulnerabilities are exploited software installed on the user’s computer, or a vulnerability in the site owner’s software (which is more dangerous, since respectable sites with a large flow of visitors are exposed to infection), and unsuspecting users who go to such a site risk infecting their computer.
  • Internet and local networks (worms). Worms are a type of virus that penetrates a victim computer without user intervention. Worms use so-called “holes” (vulnerabilities) in operating system software to penetrate a computer. Vulnerabilities are errors and flaws in software that allow machine code to be downloaded and executed remotely, as a result of which a worm virus enters the operating system and, as a rule, begins infecting other computers via a local network or the Internet. Attackers use infected user computers to send spam or carry out DDoS attacks.

Anti-detection

In the days of MS-DOS, stealth viruses were common that intercepted interrupts to access the operating system. The virus could thus hide its files from the directory tree or substitute the original copy instead of the infected file.

With the widespread use of anti-virus scanners that check any code before execution for signatures or suspicious actions, this technology is no longer sufficient. Hiding a virus from the process list or directory tree in order not to attract unnecessary user attention is basic technique, however, more sophisticated methods are required to combat viruses. To counteract scanning for signatures, code encryption and polymorphism are used. These techniques are often used together because in order to decrypt the encrypted part of the virus, the decryptor must be left unencrypted, allowing it to be detected by its signature. Therefore, to change the decryptor, polymorphism is used - a modification of the sequence of commands that does not change the actions performed. This is possible thanks to the highly diverse and flexible instruction system of Intel processors, in which the same elementary action, such as adding two numbers, can be performed by several sequences of instructions.

Code shuffling is also used, when individual instructions are randomly ordered and connected by unconditional branches. Metamorphism, which is often confused with polymorphism, is considered the cutting edge of viral technology. The polymorphic virus decryptor is relatively simple; its function is to decrypt the main body of the virus after implementation, that is, after its code has been checked by the antivirus and launched. It does not contain the polymorphic engine itself, which is located in the encrypted part of the virus and generates the decryptor. In contrast, a metamorphic virus may not use encryption at all, since it itself rewrites all its code with each replication.

Prevention and treatment

IN currently There are many antivirus programs used to prevent viruses from entering your PC. However, there is no guarantee that they will be able to cope with the latest developments. Therefore, some precautions should be taken, in particular:

  1. Don't go to unfamiliar sites
  2. Use only licensed distributions
  3. Constantly update virus databases
  4. Try to limit yourself from accepting unfamiliar files

Economy

Some antivirus manufacturers claim that the creation of viruses has now turned from a solitary hooligan activity into a serious business with close relations with spam business and other illegal activities.

Also called millions and even billions of damages from the actions of viruses and worms. Such statements and estimates should be treated with caution: the amount of damage estimated by different analysts differs (sometimes by three to four orders of magnitude), and calculation methods are not provided.

Story

The foundations of the theory of self-reproducing mechanisms were laid by an American of Hungarian origin, John von Neumann, who in 1951 proposed a method for creating such mechanisms. Working examples of such programs have been known since 1961.

The first known actual viruses are Virus 1,2,3 and Elk Cloner for the Apple II PC, which appeared in 1981. In the winter of 1984, the first antivirus utilities- CHK4BOMB and BOMBSQAD by Andi Hopkins Andy Hopkins). In early 1985, Guy Wong Gee Wong) wrote the DPROTECT program - the first resident antivirus.

The first virus epidemics date back to 1987-1989: Brain (more than 18 thousand infected computers, according to McAfee), Jerusalem (appeared on Friday May 13, 1988, destroying programs when they were launched), Morris worm (over 6200 computers, most networks failed for up to five days), DATACRIME (about 100 thousand infected PCs in the Netherlands alone).

At the same time, the main classes of binary viruses took shape: network worms (Morris worm, 1987), Trojan horses (AIDS, 1989), polymorphic viruses (Chameleon, 1990), stealth viruses (Frodo, Whale, 2nd half of 1990).

At the same time, organized movements of both pro- and anti-virus orientation took shape: in 1990, a specialized BBS Virus Exchange appeared, “The Little Black Book of Computer Viruses” by Mark Ludwig, the first commercial Symantec antivirus Norton Antivirus.

In 1992, the first virus designer for the PC, VCL, appeared (for the Amiga, designers existed before), as well as ready-made polymorphic modules (MtE, DAME and TPE) and encryption modules for embedding into new viruses.

In the next few years, stealth and polymorphic technologies were finally perfected (SMEG.Pathogen, SMEG.Queeg, OneHalf, 1994; NightFall, Nostradamus, Nutcracker, 1995), and the most unusual methods of penetrating the system and infecting files were tried (Dir II - 1991, PMBS, Shadowgard, Cruncher - 1993). In addition, viruses have emerged that infect object files (Shifter, 1994) and program source code (SrcVir, 1994). With distribution Microsoft package Office macro viruses have become widespread (Concept, 1995).

In 1996, the first virus for Windows 95 appeared - Win95.Boza, and in December of the same year - the first resident virus for it - Win95.Punch.

With the spread of networks and the Internet, file viruses are increasingly focused on them as the main channel of work (ShareFun, 1997 - an MS Word macro virus that uses MS-Mail for distribution; Win32.HLLP.DeTroie, 1998 - a family of spyware viruses; Melissa, 1999 - a macro virus and a network worm that broke all records in terms of spreading speed). The era of the heyday of “Trojan horses” was opened by the hidden remote administration utility BackOrifice (1998) and its subsequent analogues (NetBus

Phase).

The Win95.CIH virus reached its zenith in using unusual methods, overwriting the FlashBIOS of infected machines (the June 1998 epidemic is considered the most destructive in recent years).

In the late 1990s - early 2000s, with the increasing complexity of software and the system environment, the massive transition to the relatively secure Windows NT family, the consolidation of networks as the main channel for data exchange, as well as the success of anti-virus technologies in detecting viruses built using complex algorithms, the latest they began to increasingly replace injection into files with injection into the operating system (unusual autorun, rootkits) and replace polymorphism with a huge number of types (the number of known viruses is growing exponentially).

Rootkit(English rootkit, i.e. “root set”) - a program or set of programs to hide traces of the presence of an attacker or malicious program in the system.

At the same time, the discovery of numerous vulnerabilities in Windows and other common software has opened the way for exploit worms. In 2004, epidemics of unprecedented scale were caused by MsBlast (more than 16 million systems according to Microsoft), Sasser and Mydoom (estimated damage of $500 million and $4 billion, respectively).

In addition, monolithic viruses are largely giving way to complex malware with separation of roles and auxiliary tools (Trojans, downloaders/droppers, phishing sites, spambots and spiders). Social technologies - spam and phishing - are also flourishing as a means of infection that bypasses software security mechanisms.

Find the meanings of the words: “exploit”, “droppers”, “spambots”, “phishing”, “botners”

Initially based on Trojan programs, and with the development of p2p network technologies - and independently - the most modern type of viruses - botnet worms - is gaining momentum

(Rustock, 2006, about 150 thousand bots; Conficker, 2008-2009, more than 7 million bots; Kraken, 2009, about 500 thousand bots). Viruses, among other malware, are finally being formalized as a means of cybercrime.

Find the value p2p network technologies

Etymology of the name

A computer virus was named by analogy with biological viruses due to a similar mechanism of spread. Apparently, the word “virus” was first used in relation to a program by Gregory Benford in the science fiction story “The Scarred Man,” published in Venture magazine in May 1970. The term “computer virus” was subsequently discovered and rediscovered more than once - for example, the variable in the PERVADE program (1975), the value of which determined whether the ANIMAL program would spread across the disk, was called VIRUS. Also, Joe Dellinger called his programs a virus and, probably, this was the first virus called a “virus” itself.

Malicious program(in jargon antivirus services « malware", English malware, malicious software- “malicious software) - any software designed to gain unauthorized access to the computing resources of the computer itself or to information stored on the computer, for the purpose of unauthorized use of computer resources by the owner or causing harm (damage) to the owner of the information and/or the owner The computer, and/or the owner of the computer network, by copying, distorting, deleting or substituting information.

Terminology

By basic definition, malware is designed to gain unauthorized access to information, bypassing existing access control rules. Federal Service for Technical and Export Control (FSTEC of Russia) defines these concepts as follows:

  • Authorized access to information(English authorized access to information) - access to information that does not violate the rules of access control.
  • Unauthorized access to information(English unauthorized access to information) - access to information that violates the rules of access control using regular funds provided by computer technology or automated systems. By standard means we mean a set of software, firmware and technical support computer equipment or automated systems.
  • Access control rules(English access mediation rules) - a set of rules regulating the access rights of access subjects to access objects

According to Article 273 of the Criminal Code of the Russian Federation (“Creation, use and distribution of malicious programs for computers”), the definition of malicious programs is as follows: “... computer programs or making changes to existing programs, knowingly leading to unauthorized destruction, blocking, modification or copying of information, disruption of the operation of a computer, computer system or their network..."

It should be noted that the current wording of Article 273 interprets the concept of harmfulness extremely broadly. When the inclusion of this article in the Criminal Code was discussed, it was understood that program actions that were not explicitly approved would be considered “unauthorized” user this program. However, current judicial practice also classifies as malicious programs that modify (with the user's permission) executable files and/or databases of other programs, if such modification is not permitted by their copyright holders. At the same time, in a number of cases, in the presence of a principled position of the defense and a competent examination, the broad interpretation of Article 273 was declared illegal by the court.

Classification of malware

Each antivirus software company has its own corporate classification and nomenclature of malware. The classification given in this article is based on the nomenclature of Kaspersky Lab.

By malicious load

  • Interference with the operation of an infected computer: from opening and closing the CD-ROM tray to data destruction and breakdown hardware.
    • Blocking anti-virus sites, anti-virus software and administrative functions of the OS in order to complicate treatment.
    • Sabotage of computer-controlled industrial processes.
  • Installation of other malware.
    • ).
  • Unpacking another malware already contained inside the file ( dropper).
  • Theft, fraud, extortion and spying on the user. Scanning can be used to steal hard drive, registering keystrokes (Keylogger
    • ) and redirecting the user to fake sites that exactly replicate the original resources.
    • Theft of valuable or secret data.
    • Theft of accounts of various services (email, instant messengers, game servers...). Accounts are used to send spam. You can also often obtain passwords from other accounts through email.
    • Theft of payment system accounts.
    • Blocking a computer, encrypting user files for the purpose of blackmail and extortion of funds. In most cases, after payment, the computer either does not unlock or is soon blocked a second time.
    • Using a telephone modem to make expensive calls, which results in significant telephone bills.
    • Paid software that imitates, for example, an antivirus, but does nothing useful.
  • Other illegal activities:
    • Obtaining unauthorized (and/or free) access to the resources of the computer itself or third resources accessible through it, including direct control computer (so-called backdoor).
    • Organization on the computer open relays (find the meaning of a word) And public proxy servers.
    • Infected computer (including botnet) can be used to carry out DDoS attacks.
    • Email collection and distribution spam, including as part botnet.
    • Cheat electronic voting, ad clicks banners.
    • Generation of payment system coins Bitcoin.
    • Causing harm to human health. For example:
      • Displaying images on a computer screen that are dangerous for the faint of heart. For example, if a person suffers from photosensitive epilepsy, flickering light and high contrast may trigger seizures.
  • Files that are not truly malicious, but in most cases unwanted:
    • Comic software that does some things that bother the user.
    • Adware- software showing advertising.
    • Spyware- software that sends information over the Internet that is not authorized by the user.
    • “Poisoned” documents that destabilize the software that opens them (for example, an archive less than a megabyte in size can contain gigabytes of data and “hang” the archiver for a long time).
    • Remote administration programs can be used both to remotely solve computer problems and for nefarious purposes.
    • Rootkit (find the meaning of a word) is needed to hide other malware from prying eyes.
    • Sometimes malware for its own “life support” installs additional utilities: IRC clients, software routers, open keyboard interception libraries... Such software is not malicious, but due to the fact that there is often a truly malicious program behind it, it is detected by antiviruses. It even happens that only a one-line script is malicious, while the rest of the programs are completely legitimate.

    By reproduction method

    Symptoms of infection

    • automatic opening of windows with unfamiliar content when the computer starts;
    • blocking access to the official websites of antivirus companies, or to websites that provide services to “treat” computers from malware;
    • the appearance of new unknown processes in the “Processes” window of the manager Windows tasks;
    • the appearance of new entries in the registry branches responsible for autostart;
    • prohibition on changing computer settings in the administrator account;
    • inability to run the executable file (an error message is displayed);
    • the appearance of pop-ups or system messages with unusual text, including those containing unknown web addresses and names;
    • restarting the computer while starting a program;
    • random and/or random shutdown of the computer;
    • random crashes of programs.

    However, it should be taken into account that despite the absence of symptoms, the computer may be infected with malware.

    The problem of virus protection must be considered in the general context of the problem of protecting information from unauthorized access and the technological and operational security of software in general. The basic principle that should be the basis for the development of virus protection technology is to create a multi-level distributed protection system, including:

      regulation of work on a PC;

      application software protection;

      use of special hardware protection.

    In this case, the number of protection levels depends on the value of the information that is processed on the PC.

    The following methods are currently used to protect against computer viruses.

    Archiving. It consists of copying system areas of magnetic disks and maintaining daily archives of changed files. Archiving is one of the main methods of protecting against viruses. Other methods of protection complement it, but cannot replace it completely.

    Incoming control. Checking all incoming programs with detectors, as well as checking the lengths and checksums of newly received programs for compliance with the values ​​​​specified in the documentation. Most known file and boot viruses can be detected at the incoming inspection stage. For this purpose it is used batterydetectors(several sequentially launched programs). The range of detectors is quite wide, and is constantly updated as new viruses appear. However, not all viruses can be detected, but only those recognized by the detector. The next element of input control is a contextual search in files for words and messages that may belong to a virus (for example, Virus, COMMAND.COM, Kill, etc.). The absence of text strings in the last 2-3 kilobytes of the file is suspicious - this may be a sign of a virus that encrypts its body.

    The considered control can be performed using a special program that works with a database of “suspicious” words and messages and generates a list of files for further analysis. After the analysis, it is recommended to operate new programs in quarantine mode for several days. In this case, it is advisable to use calendar acceleration, i.e. change the current date when restarting the program. This allows you to detect viruses that trigger on certain days of the week (Friday, 13th of the month, Sunday, etc.).

    Prevention. To prevent infection, it is necessary to organize separate storage (on different magnetic media) of newly received and previously used programs, minimizing periods of availability of floppy disks for recording, and dividing common magnetic media between specific users.

    Revision. Analysis of newly received programs using special tools (detectors), integrity monitoring before reading information, as well as periodic monitoring of the state of system files.

    Quarantine. Each new program is checked for known types of viruses over a certain period of time. For these purposes, it is advisable to allocate a special PC on which no other work is carried out. If it is impossible to allocate a PC for software quarantine, a machine that is disconnected from the local network and does not contain particularly valuable information is used for this purpose.

    Segmentation. It involves dividing a magnetic disk into a number of logical volumes (partitions), some of which have the status READ_ONLY (read only). These partitions store executable programs and system files. Databases should be stored in other sectors, separate from the programs that are running. An important preventative measure in the fight against file viruses is to exclude a significant part of boot modules from their reach. This method is called segmentation and is based on partitioning a magnetic disk (hard drive) using a special driver that assigns the READ_ONLY attribute (read only) to individual logical volumes, and also supports password access schemes. At the same time, executable programs and system utilities, as well as database management systems and translators, are placed in write-protected disk partitions, i.e. software components most at risk of infection. As such a driver, it is advisable to use programs like ADVANCEDDISKMANAGER (a program for formatting and preparing a hard drive), which not only allows you to split the disk into partitions, but also organize access to them using passwords. The number of logical volumes used and their sizes depend on the tasks being solved and the size of the hard drive. It is recommended to use 3 - 4 logical volumes, and on the system disk from which you are booting, you should leave a minimum number of files (system files, shell, and trap programs).

    Filtration. It consists of using watchdog programs to detect attempts to perform unauthorized actions.

    Vaccination. Special processing of files and disks that simulates a combination of conditions that are used by some type of virus to determine whether a program is already infected or not.

    Automatic integrity control. It consists in using special algorithms that allow, after starting the program, to determine whether changes have been made to its file.

    Therapy. It involves the deactivation of a specific virus in infected programs by special programs (phages). Phage programs “bite” the virus out of the infected program and try to restore its code to its original state (the state before the moment of infection). In general, the technological protection scheme may consist of the following stages:

      input control of new programs;

      segmentation of information on a magnetic disk;

      protecting the operating system from infection;

      systematic control of information integrity.

    It should be noted that you should not strive to provide global protection for all files on the disk. This significantly impedes operation, reduces system performance, and ultimately reduces security due to frequent work in open mode. Analysis shows that only 20-30% of files should be write protected.

    When protecting an operating system from viruses, it is necessary to properly place it and a number of utilities, which can ensure that after the initial boot, the operating system is not yet infected with a resident file virus. This is achieved by placing the command processor on a write-protected disk, from which, after the initial boot, it is copied to a virtual (electronic) disk. In this case, during a virus attack, a duplicate of the command processor on virtual disk. When rebooted, the information on the virtual disk is destroyed, making it impossible for the virus to spread through the command processor.

    In addition, to protect the operating system, a non-standard command processor can be used (for example, the 4DOS command processor developed by J.P. Software), which is more resistant to infection. Placing a working copy of the shell on a virtual disk allows it to be used as a decoy program. For this, a special program can be used that periodically monitors the integrity of the command processor and informs about its violation. This allows for early detection of a virus attack.

    As an alternative to MS DOS, several operating systems have been developed that are more resistant to infection. Of these, DR DOS and Hi DOS should be noted. Any of these systems is more “virus-resistant” than MS DOS. Moreover, the more complex and dangerous the virus, the less likely it is that it will work on an alternative operating system.

    An analysis of the considered methods and means of protection shows that effective protection can be ensured through the integrated use of various means within a single operating environment. To do this, it is necessary to develop an integrated software package that supports the considered protection technology. The software package should include the following components.

      Family (battery) of detectors. Detectors included in the family must be launched from the operating environment of the complex. At the same time, it should be possible to connect new detectors to the family, as well as specify the parameters for their launch from the dialog environment. Using this component, software testing can be organized at the incoming inspection stage.

      Virus trap program. This program is generated during the functioning of the complex, i.e. is not stored on disk, so the original cannot be infected. In the process of testing the PC, the trap program is executed repeatedly, changing the current date and time (organizes an accelerated calendar). Along with this, the decoy program monitors its integrity (size, checksum, date and time of creation) every time it is launched. If an infection is detected, the software system switches to the analysis mode of the infected program - a trap - and tries to determine the type of virus.

      Vaccination program. Designed to change the operating environment of viruses so that they lose their ability to reproduce. A number of viruses are known to mark infected files to prevent re-infection. Using this property, it is possible to create a program that processes files in such a way that the virus believes that they are already infected.

      Database about viruses and their characteristics. It is expected that the database will store information about existing viruses, their features and signatures, as well as the recommended treatment strategy. Information from the database can be used when analyzing an infected decoy program, as well as at the stage of incoming software control. In addition, based on the information stored in the database, recommendations can be made on the use of the most effective detectors and phages for treatment against a specific type of virus.

      Residential protection. These tools can reside in memory and constantly monitor the integrity of system files and the shell. The check can be performed using timer interrupts or when performing read and write operations to a file.

        We will talk about the simplest ways to neutralize viruses, in particular, those that block the Windows 7 user’s desktop (Trojan.Winlock virus family). Such viruses are distinguished by the fact that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it extremely difficult to perform any actions other than entering a special “unlock code”, to obtain which, allegedly, you need to transfer a certain amount to the attackers by sending an SMS or replenishment of a mobile phone account through a payment terminal. The goal here is one - to force the user to pay, and sometimes quite decent money. A window appears on the screen with a threatening warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the Windows working environment - it blocks pressing special combinations keys to open the Start button menu, Run command, task manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows into safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, anti-virus scanner). But, nevertheless, in the vast majority of cases there is a way out.

        New technologies implemented in Windows Vista / Windows 7 have made it much more difficult to implement and take over the system full control malware, and also provided users with additional opportunities to get rid of them relatively easily, even without anti-virus software (software). We are talking about the ability to boot the system in safe mode with command line support and launch monitoring and recovery software from it. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of operating systems of the Windows family, many users simply do not use it. But in vain. The Windows 7 command line does not have the usual desktop (which may be blocked by a virus), but it is possible to launch most programs - the registry editor, task manager, system recovery utility, etc.

    Removing a virus by rolling back the system to a restore point

        A virus is an ordinary program, and even if it is located on the computer’s hard drive, but does not have the ability to automatically start when the system boots and user registration, then it is as harmless as, for example, a regular text file. If you solve the problem of blocking the automatic launch of a malicious program, then the task of getting rid of malware can be considered completed. The main method of automatic startup used by viruses is through specially created registry entries created when they are introduced into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore using checkpoint data. A checkpoint is a copy of important system files, stored in a special directory ("System Volume Information") and containing, among other things, copies of system files Windows registry. Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to obtain the state of the system registry without the entries made by the invading virus and thereby exclude its automatic start, i.e. get rid of infection even without using antivirus software. In this way, you can simply and quickly get rid of the majority of viruses infecting your system, including those that block the Windows desktop. Naturally, a blocking virus that uses, for example, modification of boot sectors of a hard drive (MBRLock virus) cannot be removed in this way, since rolling back the system to a restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support because the virus is loaded before the Windows bootloader. To get rid of such an infection, you will have to boot from another medium and restore infected boot records. But there are relatively few such viruses and in most cases, you can get rid of the infection by rolling back the system to a restore point.

    1. At the very beginning of the download, press the button F8. The Windows boot loader menu will be displayed on the screen, with possible options for booting the system

    2. Select the Windows boot option - "Safe Mode with Command Line Support"

    After the download is complete and the user has registered, the command processor window will be displayed instead of the usual Windows desktop cmd.exe

    3. Run the System Restore tool by typing rstrui.exe and press ENTER.

    Switch the mode to "Select another recovery point" and in the next window check the box "Show other recovery points"

    After selecting a Windows restore point, you can view a list of affected programs during a system rollback:

    The affected programs list is a list of programs that were installed after the system restore point was created and that may require reinstallation because their associated registry entries will be missing.

    After clicking the "Finish" button, the system recovery process will begin. Upon completion, Windows will restart.

    After the reboot, a message will be displayed indicating the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use a more advanced method presented below.

    Removing a virus without rolling back the system to a restore point

        A situation is possible when the system lacks, according to various reasons, recovery point data, the recovery procedure completed with an error, or the rollback did not give a positive result. In this case, you can use the System Configuration diagnostic utility MSCONFIG.EXE. As in the previous case, you need to boot Windows in safe mode with command line support and in a command line interpreter window cmd.exe dial msconfig.exe and press ENTER

    On the General tab, you can select the following Windows startup modes:

    Normal launch- normal system boot.
    Diagnostic run- when the system boots, only the minimum required system services and user programs will be launched.
    Selective launch- allows you to manually specify a list of system services and user programs that will be launched during the boot process.

    To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of programs that automatically start. If in this mode the virus stops blocking the desktop, then you need to move on to the next step - determine which program is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch of individual programs manually.

    The "Services" tab allows you to enable or disable the launch of system services whose startup type is set to "Automatic". Unchecked before the service name means that it will not be started during system boot. At the bottom of the MSCONFIG utility window there is a field for setting the "Do not display Microsoft services" mode, which, when enabled, will display only third-party services.

    Please note that the likelihood of a system being infected by a virus that is installed as a system service is standard settings security in Windows environment Vista / Windows 7 is very small, and traces of the virus will have to be looked for in the list of automatically launched user programs (the "Startup" tab).

    Just like in the Services tab, you can enable or disable the automatic launch of any program that is present in the list displayed by MSCONFIG. If a virus is activated on the system by automatic launch using special keys registry or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

    The msconfig utility is a simple and convenient tool for configuring the automatic startup of services and applications that start in the standard way for operating systems of the Windows family. However, virus authors often use techniques that allow them to launch malicious programs without using standard autorun points. You can most likely get rid of such a virus using the method described above by rolling back the system to a restore point. If a rollback is not possible and using msconfig did not lead to a positive result, you can use direct editing of the registry.

        In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system starts normally, but does not reach user registration. The computer hangs due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, in the same way as in previous cases, you can boot into safe mode with command line support and run the check system disk command

    chkdsk C:/F- check drive C: and correct detected errors (key /F)

    Since the system disk is occupied by system services and applications when chkdsk runs, chkdsk cannot gain exclusive access to it to perform testing. Therefore, the user will be presented with a warning message and asked to perform testing the next time the system is rebooted. After answer Y Information will be entered into the registry to ensure that the disk check starts when Windows restarts. After the check is completed, this information is deleted and Windows restarts normally without user intervention.

    Eliminating the possibility of a virus running using the Registry Editor.

        To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, in the command line interpreter window type regedit.exe and press ENTER    Windows 7, with standard system security settings, is protected from many methods of launching malware that were used for previous versions of Microsoft operating systems. Viruses installing their own drivers and services, reconfiguring the WINLOGON service with connecting their own executable modules, correcting registry keys that are relevant to all users, etc. - all these methods either do not work in Windows 7 or require such serious labor costs that they are practically impossible to meet. Typically, changes to the registry that allow a virus to run are made only in the context of the permissions that exist for current user, i.e. In chapter HKEY_CURRENT_USER

    In order to demonstrate the simplest mechanism for blocking a desktop using a substitution of the user shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you yourself correct the registry data in order to get, for example, a command line instead of a desktop . A familiar desktop is created Windows Explorer(program Explorer.exe) run as a user shell. This is ensured by the parameter values Shell in registry keys

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- for all users.
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- for the current user.

    Parameter Shell is a string containing the name of the program that will be used as a shell when the user logs in. Typically, in the section for the current user (HKEY_CURRENT_USER or abbreviated as HKCU), the Shell parameter is missing and the value from the registry key for all users is used (HKEY_LOCAL_MACHINE\ or abbreviated as HKLM)

    This is what the registry key looks like HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon at standard installation Windows 7

    If you add the Shell string parameter taking the value “cmd.exe” to this section, then the next time the current user logs into the system, instead of the standard Explorer-based user shell, the cmd.exe shell will be launched and instead of the usual Windows desktop, the command line window will be displayed .

    Naturally, any malicious program can be launched in this way and the user will receive a porn banner, blocker, and other nasty things instead of a desktop.
    Making changes to the key for all users (HKLM...) requires administrative privileges, so virus programs usually modify the settings of the current user's registry key (HKCU...)

    If, in continuation of the experiment, we run the utility msconfig, then you can make sure that in the lists of automatically launched programs cmd.exe is not available as a user shell. A system rollback, of course, will allow you to return the registry to its original state and get rid of the automatic start of the virus, but if for some reason this is impossible, the only option left is to directly edit the registry. To return to the standard desktop, simply remove the option Shell, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log back in) or reboot. You can edit the registry by running Registry Editor from the command line regedit.exe or use the console utility REG.EXE. Example command line to remove the Shell parameter:

    REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

    The given example of substituting the user's shell is today one of the most common techniques used by viruses in the Windows 7 operating system environment. A fairly high level of security with standard system settings prevents malicious programs from gaining access to registry keys that were used to infect in Windows XP and later earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (section HKCU...). The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use launching executable files (.exe) from the current user's temporary files directory (Temp). When analyzing the automatic launch points of programs in the registry, first of all you need to pay attention to the programs located in the temporary files directory. Usually this is a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

    set temp
    or
    echo %temp%

    In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as additional means to detect viruses. Legitimate programs never automatically launch from the TEMP directory.

    For getting full list possible automatic start points, it is convenient to use a special program Autoruns from the SysinternalsSuite package.

    The simplest ways to remove blockers of the MBRLock family

    Malicious programs can gain control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which the boot is performed. The virus replaces the boot sector data of the active partition with its program code so that instead of Windows, a simple program is loaded, which displays a ransomware message on the screen demanding money for the crooks. Since the virus gains control before the system boots, there is only one way to bypass it - boot from another medium (CD/DVD, external drive, etc.) in any operating system where it is possible to restore the program code of boot sectors. The easiest way is to use Live CD / Live USB, usually provided to users free of charge by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to restoring boot sectors, these products can also scan the file system for malware and remove or disinfect infected files. If it is not possible to use this method, then you can get by by simply downloading any version of Windows PE (installation disk, ERD Commander emergency recovery disk), which allows you to restore normal system booting. Usually just being able to access the command line and run the command is enough:

    bootsect /nt60 /mbr system drive letter:

    bootsect /nt60 /mbr E:>- restore the boot sectors of drive E: This should contain the letter of the drive that is used as the boot device for the system damaged by the virus.

    Or for Windows prior to Windows Vista

    bootsect /nt52 /mbr system drive letter:

    Utility bootsect.exe can be located not only in system directories, but also on any removable media, can be executed in any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system. The /mbr key, as a rule, is not needed, since it restores the program code of the MBR master boot record, which viruses do not modify (perhaps they do not modify it yet).

    Encryption viruses and new problems of saving user data.

    In addition to blocking the computer, ransomware viruses use encryption user files, the loss of which could have serious consequences, and for which the victim is willing to pay to restore. Such encryption viruses, as a rule, use serious data encryption technologies that make it impossible to recover information without encryption keys, which attackers offer to buy for fairly large sums. True, there are no guarantees. And here the victim has several options - forget about his data forever, pay extortionists without a guarantee of recovery, or turn to professionals involved in recovery. You can recover data yourself if you have enough knowledge and skills, or the loss of data is not so significant if it fails. Complete restoration of everything will not work, but with some luck, a significant part of the information can be returned. Some examples:

    Recovering data from shadow copies of volumes - about shadow copies and the ability to recover files from shadow copies of volumes.

    Recuva - Use the free Recuva program from Piriform to recover deleted files and files from shadow copies of volumes.

    With the advent of a new generation of ransomware viruses, the problem of the safety of user data has become much more acute. Viruses not only encrypt documents, archives, photos, videos and other files, but also do everything possible to prevent at least partial recovery of data by the user affected by the infection. For example, ransomware viruses attempt to delete shadow copies of volumes using the command vssadmin, which when User Account Control (UAC) is disabled, happens unnoticed and is guaranteed to make it impossible to restore previous copies of files or use software that allows you to extract data from shadow copies (Recuva, standard means Windows, etc.). Taking into account the use of strong encryption algorithms, recovery of encrypted data, even partial, becomes a very difficult task, feasible only for professionals in this field. Today, there is perhaps the only way to protect yourself from complete data loss - to use automatic backups with storing copies in a place inaccessible to viruses or to use “time machine” software that allows you to create instant copies of the file system (snapshots) and perform a rollback on their contents at any time. Such software does not use a standard file system, and has its own boot loader and controls that work independently, without the need to boot into Windows, which prevents malware from completely taking control of the file system recovery tools. In addition, this software has virtually no effect on the performance of Windows. An example of such software could be some commercial products Horizon DataSys and free Comodo Time Machine And Rollback RX Home

    Comodo Time Machine - a separate article about Comodo Time Machine and links to download the free version.

    Rollback Rx Home - separate article about Rollback Rx Home Edition by Horizon DataSys and links to download the free version.

    Classification of viruses

    Since the theoretical problem of detecting viruses is unsolvable, in practice it is necessary to solve particular problems of combating particular cases of malware.

    Depending on the characteristic properties of viruses, various methods can be used to detect and neutralize them. This raises the question of classifying malware, which is what this chapter is devoted to.

    It should be noted that in practice the classifications adopted various manufacturers antivirus products are different, although they are built on similar principles. Therefore, during the presentation, principles will be formulated first and then examples from the classification used at Kaspersky Lab.

    Defining a computer virus is a historically problematic issue, since it is quite difficult to give a clear definition of a virus, while outlining properties that are unique to viruses and do not apply to others. software systems. On the contrary, when giving a strict definition of a virus as a program that has certain properties, one can almost immediately find an example of a virus that does not have such properties.

    Mandatory (necessary) property of a computer virus is the ability to create your own duplicates (not necessarily identical to the original) and implement them into computer networks and (or) files, system areas of the computer and other executable objects. At the same time, duplicates retain the ability to further spread.

    Virus(according to GOST R 51188–98) – a program capable of creating copies of itself (not necessarily identical to the original) and introducing them into files, system areas of a computer, computer networks, as well as carrying out other destructive actions. At the same time, copies retain the ability to be further distributed. A computer virus is a type of malicious program.

    It is easy to notice that the definition in GOST almost completely repeats the definition of E. Kaspersky.

    These two definitions largely repeat the definition of F. Cohen or the clarification proposed by D. Chess and S. White, which allows us to extend to them (the definitions) the conclusion that it is impossible to create an algorithm that detects all such programs or even all “incarnations” of one of the viruses . However, in practice it turns out that all known viruses can be detected by antivirus programs. The result is achieved, in particular, due to the fact that damaged or unsuccessful copies of viruses, incapable of creating and introducing copies of themselves, are detected and classified along with all other “full-fledged” viruses. Therefore, from a practical point of view, i.e. From the point of view of search algorithms, the ability to reproduce is not at all necessary for a program to be classified as a virus.

    Another problem associated with the definition of a computer virus lies in the fact that today a virus most often means not a “traditional” virus, but almost any malicious program. This leads to confusion in terminology, further complicated by the fact that almost all modern antiviruses are able to detect these types of malware, thus the association “malware – virus” is becoming more and more stable.

    Based on this, as well as on the purpose of anti-virus tools, in the future, unless otherwise specified, viruses will be understood as malicious programs.

    Malicious program – a computer program or portable code designed to implement threats to information stored in the CS, or for hidden misuse of CS resources, or other impacts that impede the normal functioning of the CS. Malicious programs include computer viruses, Trojans, network worms, etc.

    Computer viruses, Trojan horses and worms are the main types of malware.

    5.1.1. Viruses

    Because the distinctive feature viruses in the traditional sense is the ability to reproduce within one computer; viruses are divided into types in accordance with the methods of reproduction.

    The reproduction process itself can be divided into several stages:

    1. Computer penetration.

    2. Activation of the virus.

    3. Search for objects to infect.

    4. Preparation of virus copies.

    5. Introduction of viral copies.

    The implementation features of each stage give rise to attributes, the set of which actually determines the class of the virus.

    Viruses penetrate the computer along with infected files or other objects (boot sectors of floppy disks), unlike worms, without affecting the penetration process. Consequently, the possibilities of penetration are completely determined by the possibilities of infection, and there is no point in classifying viruses separately according to these stages of the life cycle.

    To activate the virus, the infected object must gain control. At this stage, viruses are divided according to the types of objects that can be infected:

    1. Boot viruses – viruses that infect boot sectors of permanent and removable media.

    Examples. Malicious program Virus.Boot.Snow.a writes his code in MBR hard drive or boot sectors of floppy disks. In this case, the original boot sectors are encrypted by the virus. After receiving control, the virus remains in the computer memory (residency) and intercepts the INT 10h, 1Ch and 13h interrupts. Sometimes a virus manifests itself as a visual effect – snow begins to fall on the computer screen.

    Another boot virus, Virus.Boot.DiskFiller, also infects MBR hard drives or boot sectors of floppy disks, remains in memory and intercepts interrupts - INT 13h, 1Ch and 21h. At the same time, when infecting floppy disks, the virus formats an additional track numbered 40 or 80 (depending on the size of the floppy disk, it can have 40 or 80 tracks numbered 0–39 or 0–79, respectively). It is on this non-standard track, outside the field of normal visibility, that the virus writes its code, adding boot sector only a small fragment - the head part of the virus.

    When infecting a hard drive, Virus.Boot.DiskFiller places its code directly behind the MBR, and in the MBR itself it changes the reference to the active boot sector, indicating the address of the sector where it is located.

    2. File viruses – viruses that infect files. This group is further divided into three depending on the environment in which the code is executed.

    Actually file viruses– those that directly work with operating system resources.



    Examples. The most famous file virus of this group is Virus.Win9x.CIH, also known as “Chernobyl”. Having small size– about 1 KB, – the virus infects PE (Portable Executable) files on computers running operating Windows systems 95/98 in such a way that the size of infected files does not change. To achieve this effect, the virus looks for “empty” areas in files that arise due to the alignment of the beginning of each section of the file to multiple byte values. After gaining control, the virus intercepts the IFS API, monitoring calls to the file access function and infecting executable files. On April 26, the destructive function of the virus is triggered, which is to erase the Flash BIOS and the initial sectors of hard drives. The result is the computer’s inability to boot at all (in the event of a successful attempt to erase Flash BIOS) or loss of data on all hard drives computer.

    Among the latest malware with viral functionality, we can mention Email-Worm.Win32.Bagle.p (as well as its modifications.q and.r). Being primarily a worm whose main distribution channel is via email, Bagle.p also contains the function of infecting EXE files by adding polymorphic virus code to the end of them.

    Macro viruses– viruses written in macro language and executed in the environment of an application. In the vast majority of cases we are talking about macros in documents Microsoft Office.

    Examples. Some of the most destructive macroviruses are members of the Macro.Word97.Thus family. These viruses contain three procedures Document_Open, Document_Close and Document_New, which replace standard macros that are executed when opening, closing and creating a document, thereby infecting other documents. On December 13, the destructive function of the virus is triggered - it deletes all files on the C: drive, including directories and subdirectories.

    The Macro.Word97.Thus.aa modification, in addition to the specified actions, selects on the local disk when opening each infected document random file and encrypts the first 32 bytes of this file, gradually rendering the system inoperable.

    Macro viruses can infect not only Microsoft Word and Excel documents. There are malicious programs that target other types of documents: Macro.Visio.Radiant infects files of the well-known diagramming program Visio, Virus.Acad.Pobresito infects AutoCAD documents, Macro.AmiPro.Green infects documents in the previously popular Ami Pro word processor.

    Script viruses– viruses executed in the environment of a specific command shell: before – bat-files in the command shell DOS, now more often VBS And JS-scripts in the command shell Windows Scripting Host (WSH).

    Examples. Virus.VBS.Sling is written in VBScript ( Visual Basic Script). When launched, it looks for files with .VBS or .VBE extensions and infects them. When June or July 16th occurs, the virus deletes all files with the .VBS and .VBE extensions, including itself, when launched.

    Virus.WinHLP.Pluma.a is a virus that infects Windows help files. When an infected help file is opened, a viral script is executed, which, using a non-trivial method (essentially a vulnerability in script processing), launches a certain line of code contained in the script for execution as a regular Windows file. The running code searches for help files on disk and injects an autorun script into their System area.

    During the era of DOS viruses, hybrid file-boot viruses were common. After a massive transition to operating systems of the family Windows Both the boot viruses themselves and the mentioned hybrids have practically disappeared.

    Separately, it is worth noting the fact that viruses designed to work in the environment of a specific OS or application turn out to be ineffective in the environment of other OSes and applications. Therefore, the environment in which it is capable of executing is identified as a separate attribute of the virus. For file viruses this is DOS, Windows, Linux, MacOS, OS/2. For macro viruses - Word, Excel, PowerPoint, Office. Sometimes a virus needs to correct operation some specific version of the OS or application, then the attribute is specified more narrowly: Win9x, Excel97.

    At the stage of searching for objects to infect, there are two ways in which viruses behave.

    1. Having received control, the virus performs a one-time search for victims, after which it transfers control to the object associated with it (the infected object).

    Example. Usually, when mastering a new platform, viruses of this type appear first. This is what happened when viruses appeared. DOS, under Windows 9x, under Windows NT, under Linux.

    For example, such a virus is Virus.Multi.Pelf.2132– one of the few representatives of multi-platform viruses. This virus can infect both P.E.-files and files in the format ELF(executable file format under Linux). When launched, the virus produces in the current (under both operating systems) and higher directories (under Windows) files of infectable formats ( P.E. And ELF), determining the actual file format by its structure. After infecting the found files, the virus exits and returns control to the running file.

    2. Having received control, the virus somehow remains in memory and searches for victims continuously until the environment in which it runs is shut down.

    Example. Virus.DOS.Anarchy.6093 is also multi-platform in the sense that it is capable of infecting DOS COM- And EXE-files and documents Microsoft Word 6/7. In this case, the virus can be activated upon startup, both in the environment DOS, and in the environment Windows 95. After launching, the virus intercepts the INT 21h interrupt, and in the environment Windows additionally makes changes to the driver VMM32.VXD (Virtual Memory Manager) for the purpose of intercepting file requests. On startup or opening COM-, EXE And DOC-file the virus infects it. In addition, in the file version the virus is polymorphic (see below), and in any version it has stealth-functionality (see below).

    Viruses of the second type in the times of single-tasking DOS were usually called resident. With the transition to Windows the problem of remaining in memory has ceased to be relevant: almost all viruses executed in the environment Windows, as well as in the application environment MS Office, are viruses of the second type. In contrast, script viruses are type 1 viruses. Accordingly, the resident attribute is applicable only to file files DOS viruses. The existence of non-resident Windows viruses are possible, but in practice they are a rare exception.

    Separately, it makes sense to consider the so-called stealth-viruses are viruses that, being constantly in memory, intercept calls to an infected file and remove the virus code from it on the fly, transmitting an unchanged version of the file in response to the request. Thus, these viruses mask their presence in the system. To detect them, antivirus tools require the ability to directly access the disk, bypassing the operating system. Greatest distribution stealth-we got viruses during DOS.

    Virus signature– in a broad sense, information that allows you to unambiguously determine the presence of a given virus in a file or other code. Examples of signatures are: a unique sequence of bytes present in a given virus and not found in other programs; checksum of such a sequence.

    The process of preparing copies for distribution may differ significantly from simply copying. The authors of the most technologically complex viruses try to make different copies as dissimilar as possible to complicate their detection by antivirus tools. As a result, compiling a signature for such a virus is extremely difficult or even impossible.

    When creating copies for camouflage, the following technologies can be used:

    - encryption– the virus consists of two functional parts: the virus itself and the encoder. Each copy of the virus consists of an encryptor, a random key, and the virus itself, encrypted with this key;

    - metamorphism– creating different copies of the virus by replacing blocks of commands with equivalent ones, swapping pieces of code, inserting “junk” commands between significant pieces of code that do practically nothing.

    The combination of these two technologies results in the following types of viruses.

    - encrypted virus– a virus that uses simple encryption with a random key and an immutable encryptor. Such viruses are easily detected by the encryption signature;

    - metamorphic virus– a virus that applies metamorphism to its entire body to create new copies;

    - polymorphic virus– a virus that uses a metamorphic encryptor to encrypt the main body of the virus with a random key. In this case, part of the information used to obtain new copies of the encryptor can also be encrypted. For example, a virus can implement several encryption algorithms and, when creating a new copy, change not only the encoder commands, but also the algorithm itself.

    Polymorphic viruses can be divided into classes according to the level of polymorphism.

    The popularity of polymorphic viruses peaked during the DOS However, polymorphism was later used in many viruses, and polymorphism continues to be used today.

    Examples. Mentioned above Email-Worm.Win32.Bagle.p is a polymorphic virus.

    One of the most complex and relatively late polymorphic viruses is Virus.Win32.Etap. When a file is infected, the virus rebuilds and encrypts its own code, writes it to one of the sections of the infected file, and then looks for a function call in the file code ExitProcess and replaces it with a call virus code. Thus, the virus gains control not before executing the source code of the infected file, but after it.

    The introduction of viral copies can be carried out by two fundamentally different methods:

    Injection of virus code directly into the infected object;

    Replacing an object with a viral copy. The object being replaced is usually renamed.

    For viruses, the first method is predominantly characteristic. The second method is much more often used by worms and Trojans, or more precisely by Trojan components of worms, since Trojans themselves do not spread.

    Example. One of the few mail worms that spread through the mail book The Bat ! – Email-Worm.Win32.Stator.a, among other things, infects some files Windows according to the principle of a companion virus. In particular, infected files include: mplayer.exe, winhlp32.exe, notepad.exe, control.exe, scanregw.exe. When infected, the files are renamed to the extension. VXD, and the virus creates copies of itself under the original names of the infected files. After gaining control, the virus launches the corresponding renamed original file.

    As a variant of the second method during times DOS The following technique was used. When typing the name of the executable file without specifying the extension, DOS searches in order first BAT, then COM and in the end EXE-file. Accordingly, the virus copy was created in the same directory with EXE-file, duplicating its name and taking the extension COM. Thus, when trying to run this EXE-file without explicitly specifying the extension, the virus was launched first.

    A similar technique can be used in Windows-systems, but since the majority of users Windows rarely uses running files from the command line, the effectiveness of this method will be low.

    5.1.2. Worms

    Unfortunately, there is no definition of a worm in government standards and regulatory documents, so here we provide only an intuitive definition that gives an idea of ​​the operating principles and functions of this type of malware.

    Worm (network worm)– a type of malicious programs that spread through network channels, capable of autonomously overcoming the protection systems of automated and computer networks, as well as creating and further distributing copies of themselves, which do not always coincide with the original, and carrying out other harmful effects.

    Just like viruses, the life cycle of worms can be divided into certain stages:

    1) penetration into the system;

    2) activation;

    3) search for “victims”;

    4) preparation of copies;

    5) distribution of copies.

    Stages 1 and 5 are generally symmetrical and are characterized primarily by the protocols and applications used.

    Stage 4 - Preparation of copies - is practically no different from a similar stage in the process of virus reproduction. What has been said about preparing copies of viruses also applies without changes to worms.

    At the stage of penetrating a system, worms are divided mainly according to the types of protocols used:

    - network worms– worms that use Internet and local network protocols to spread. Typically this type of worm spreads using improper handling by certain applications. basic packages protocol stack tcp/ip;

    - mail worms– worms that spread in the format of email messages;

    - IRC worms– worms spreading through channels IRC (Internet Relay Chat);

    - P2P worms– worms that spread using peer-to-peer networks ( peer-to-peer) file sharing networks;

    - IM worms– worms that use instant messaging systems to spread ( I.M., Instant MessengerICQ, MSN Messenger, AIM and etc.).

    Examples. Classic network worms are members of the family Net-Worm.Win32.Sasser. These worms exploit a vulnerability in the service LSASS Microsoft Windows. When reproducing, the worm launches FTP-service for TCP-port 5554, after which selects IP-address to attack and sends a request to port 445 to this address, checking if the service is running LSASS. If the attacked computer responds to the request, the worm sends an exploit for a vulnerability in the service to the same port. LSASS, as a result of successful execution of which on remote computer the command shell is launched on TCP-port 9996. Through this shell the worm remotely downloads a copy of the worm using the protocol FTP from a previously launched server and launches itself remotely, completing the penetration and activation process.

    As an example of a mail worm, consider Email-Worm.Win32.Zafi.d. The infected message includes a subject and text selected from a list, the content of which is a holiday greeting (mostly Merry Christmas) and an invitation to familiarize yourself with greeting card in the attachment. Congratulations can be in different languages. The name of the worm file contained in the attachment consists of the word postcard in the language corresponding to the greeting, and an arbitrary set of characters. The worm file extension is randomly selected from a list. BAT, .COM, .EXE, .PIF, .ZIP. To send messages, the worm uses email addresses found on the infected computer. To gain control, the worm must be launched by a user.

    IRC-Worm.Win32.Golember.a is, as the name suggests, IRC- a worm. When run it saves itself in a directory Windows under the name trlmsn.exe and adds it to the autorun section of the registry Windows parameter with the line to launch this file. In addition, the worm saves a copy of itself to disk in the form of an archive Janey2002.zip and image file Janey.jpg. The worm then connects to random IRC-channels under different names and starts sending certain text strings, simulating activity regular user. At the same time, an archived copy of the worm is sent to all users of these channels.

    Distribution functionality via P2P Many network and email worms have channels. For example, Email-Worm.Win32.Netsky.q for reproduction through file-sharing networks, searches on the local disk for directories containing the names of the most popular networks or the word " shared”, after which he puts his copies under various names in these directories.

    I.M.-Worms rarely transfer infected files directly between clients. Instead, they send links to infected web pages. Yes, worm IM-Worm.Win32.Kelvir.k sends via MSN Messenger messages containing the text " its you" and link " http://www. malignancy.us//pictures.php?email=", at the address specified in which the worm file is located.

    Today, the most numerous group consists of email worms. Network worms are also a noticeable phenomenon, but not so much because of quantity as because of quality: epidemics caused by network worms are often characterized by high speed of spread and large scale. IRC-, P2P- And I.M.-worms are quite rare, more often IRC, P2P And I.M. serve as alternative distribution channels for email and network worms.

    At the activation stage, worms are divided into two large groups, differing both in technology and in lifespan:

    1. Active user participation is required for activation.

    2. To activate, user participation is not required at all or only passive participation is sufficient.

    Passive user participation in the second group means, for example, viewing letters in an email client, in which the user does not open attached files, but his computer nevertheless becomes infected.

    The difference in these approaches is deeper than it might seem at first glance. Activation of a network worm without user interaction always means that the worm is exploiting security holes in the computer's software. This leads to very rapid spread a worm inside a corporate network with a large number of stations significantly increases the load on communication channels and can completely paralyze the network. It was this activation method that the worms used Lovesan And Sasser. As a result of an epidemic caused by such a network worm, the exploited gap is closed by administrators or users, and as the number of computers with the open gap decreases, the epidemic ends. To repeat the epidemic, virus developers have to exploit another gap. As a result, epidemics caused by active worms have a more significant impact on the operation of the network as a whole, but they occur much less frequently than epidemics of passive network worms. A mandatory measure of protection against such epidemics is the timely installation of security patches. We also note that operating systems with built-in capabilities for remote control or launching programs are especially vulnerable to this type of worm - this is a family Microsoft Windows NT/2000/XP/2003.

    Example. Service vulnerability LSASS, first used in worm MyDoom at the beginning of 2004, continued to be successfully used a year and a half later. So, Net-Worm.Win32.Mytob.be, discovered in June 2005, still used this vulnerability as a distribution method in addition to distribution via email.

    On the other hand, the active participation of the user in activating the worm means that the user was misled by methods social engineering. In most cases, the main factor is the form in which the infected message is presented: it can imitate a letter from a friend (including an email address if the friend is already infected), a service message from the postal system, or something similar that is equally common in the flow of regular correspondence. The user, in the turmoil, simply does not distinguish between a regular letter and an infected one and launches it automatically.

    It is impossible to protect yourself from these types of worms with patches. Even adding a network worm signature to virus database data does not completely solve the problem. Virus developers simply need to change the executable file so that the antivirus does not detect it, and slightly change the text of the message, including using spam technologies used to bypass filters.

    As a result, epidemics caused by passive network worms can last much longer and give rise to entire families of the same type of network worms.

    Recently, there has been a tendency to combine both methods of propagation in worms. Many members of the family Mytob have distribution functions via email and through a vulnerability in the service LSASS.

    The method of searching for a victim computer is entirely based on the protocols and applications used. In particular, if we are talking about an email worm, computer files are scanned for the presence of email addresses, to which, as a result, copies of the worm are sent.

    In the same way, Internet worms scan the range IP-addresses in search of vulnerable computers, and P2P worms place copies of themselves in public directories of peer-to-peer network clients. Some worms are capable of exploiting the contact lists of Internet messengers, such as ICQ, AIM, MSN Messenger, Yahoo! Messenger and etc.

    What was said earlier about preparing copies for spreading viruses also applies to worms.

    The most common among worms are simplified implementations of metamorphism. Some worms are capable of sending copies of themselves in letters, both with the injection of a script, leading to automatic activation worm, and without introduction. This behavior of the worm is due to two factors: the automatic activation script increases the likelihood of the worm running on the user's computer, but at the same time reduces the likelihood of slipping through anti-virus filters on mail servers.

    Likewise, worms can change the subject and text of the infected message, name, extension, and even the format of the attached file - the executable module can be attached as is or in a zipped form. All this cannot be considered meta- or polymorphism, but worms certainly have a certain amount of variability.

    5.1.3. Trojans

    Let us give an intuitive definition of a Trojan program, or Trojan.

    Trojan (Trojan horse)– a type of malware whose main purpose is to cause harmful effects to computer system. Trojans are distinguished by the absence of a mechanism for creating their own copies. Some Trojans are capable of autonomously overcoming computer protection systems in order to penetrate and infect the system. In general, a Trojan enters a system along with a virus or worm as a result of careless user actions or active actions of an attacker.

    Due to the lack of reproduction and distribution functions in Trojans, their life cycle is extremely short - only three stages:

    Computer penetration;

    Activation;

    Execution of assigned functions.

    This, of course, does not mean that Trojans have a short lifespan. On the contrary, a Trojan can long time remain unnoticed in the computer's memory, without betraying its presence in any way, until it is detected by anti-virus tools.

    Trojans usually solve the problem of penetrating a user’s computer using one of the following two methods.

    1. Disguise– the Trojan pretends to be useful application, which the user independently downloads from the Internet and launches. Sometimes the user is excluded from this process by posting on web- a page of a special script that, using holes in the browser, automatically initiates the download and launch of the Trojan.

    Example. Trojan.SymbOS.Hobble.a is an archive for the operating system Symbian (SIS-archive). At the same time, it disguises itself as an antivirus Symantec and has a name symantec.sis. After launching on a smartphone, the Trojan replaces the original shell file FExplorer.app to the damaged one. As a result, the next time you boot the operating system, most of the smartphone’s functions are no longer available.

    One of the disguise options could also be for an attacker to insert Trojan code into the code of another application. In this case, it is even more difficult to recognize the Trojan, since the infected application can openly perform some useful actions, but at the same time secretly cause damage due to the Trojan functions.

    The method of introducing Trojans onto users’ computers through websites is also common. In this case, either a malicious script is used that downloads and runs a Trojan program on the user’s computer, using a vulnerability in the web browser, or social engineering methods - the content and design of the website provokes the user to download the Trojan on his own. With this injection method, not one copy of the Trojan can be used, but a polymorphic generator that creates a new copy every time it is loaded. The polymorphism technologies used in such generators usually do not differ from viral polymorphic technologies.

    2. Cooperation with viruses and worms– a Trojan travels along with worms or, less commonly, viruses. In principle, such “worm-Trojan” pairs can be considered entirely as a composite worm, but in established practice it is customary to consider the Trojan component of a worm, if it is implemented in a separate file, to be considered an independent Trojan with its own name. In addition, the Trojan component may reach the computer later than the worm file.

    Example. Using backdoor-functionality of the worm family Bagle, the author of the worm carried out a hidden installation of the Trojan SpamTool.Win32. Small.b, which was collected and sent to a specific email address found in files on the infected computer.

    Cooperation between worms and viruses is often observed, when the worm transports the virus between computers, and the virus spreads throughout the computer, infecting files.

    Example. Famous worm in the past Email-Worm.Win32.Klez.h when the computer was infected, the virus also launched on it Virus.Win32.Elkern.c. It’s hard to say why this was done, since the virus itself, apart from infection and malicious manifestations associated with errors in the code (there are no obvious malicious procedures in it), does not perform any actions, i.e. is not a "strengthening" of the worm in any sense.

    The techniques here are the same as those used by worms: waiting for the user to launch a file or using vulnerabilities to launch it automatically.

    Unlike viruses and worms, which are divided into types according to their methods of reproduction/distribution, Trojans are divided into types according to the nature of the malicious actions they perform. The most common types of Trojans are:

    - Keyloggers– Trojans that reside permanently in memory and store all data coming from the keyboard for the purpose of subsequently transmitting this data to an attacker. Typically, this is how an attacker tries to find out passwords or other confidential information.

    Example. In the past, just a couple of years ago we met keyloggers, which recorded all keystrokes and wrote them to a separate file. Trojan-Spy.Win32.Small.b, for example, in an endless loop, read the codes of the keys pressed and saved them in a file C:\SYS.

    Modern spyware is optimized to collect information transmitted by the user on the Internet, since this data may include logins and passwords for bank accounts, PIN-credit card codes and other confidential information related to the user’s financial activities. Trojan-Spy.Win32.Agent.fa tracks open windows Internet Explorer and saves information from sites visited by the user, keyboard input into a specially created file servms.dll in the system directory Windows.

    - Password thieves– Trojans, also designed to obtain passwords, but do not use keyboard tracking. Such Trojans implement methods for extracting passwords from files in which these passwords are stored by various applications.

    Example. Trojan-PSW.Win32.LdPinch.kw collects information about the system, as well as logins and passwords for various services and application programs - instant messengers, email clients, dialers. Often this data is poorly protected, which allows the Trojan to obtain it and send it to the attacker by email.

    - Remote management utilities– Trojans that provide complete remote control over the user’s computer. There are legal utilities with the same properties, but they differ in that they indicate their purpose during installation or are provided with documentation that describes their functions. Trojan remote control utilities, on the contrary, do not reveal their real purpose in any way, so the user does not even suspect that his computer is under the control of an attacker. The most popular remote control utility is Back Orifice.

    Example. Backdoor.Win32.Netbus.170 provides full control over the user's computer, including performing any file operations, downloading and launching other programs, taking screenshots, etc.

    - Hatches (backdoor)– Trojans that provide the attacker with limited control over the user’s computer. They differ from remote control utilities in their simpler design and, as a result, in a small number of available actions. However, one of the usual actions is the ability to download and run any files at the attacker's command, which allows you to turn limited control into full control if necessary.

    Example. Last time backdoor-functionality has become characteristic feature worms For example, Email-Worm.Win32.Bagle.at uses port 81 to receive remote commands or download Trojans that extend the functionality of the worm.

    There are also separate Trojans like backdoor. Trojan Backdoor.win32. Wootbot.gen uses IRC-channel for receiving commands from the “master”. Upon command, a Trojan can download and launch other programs, scan other computers for vulnerabilities, and install itself on computers through detected vulnerabilities.

    - Anonymous smtp servers and proxies– Trojans that perform functions mail servers or proxies and are used in the first case for spam mailings, and in the second - to cover their tracks by hackers.

    Example. Trojans from the family Trojan-Proxy.Win32.Mitglieder spread with different versions of worms Bagle. The Trojan is launched by a worm, opens a port on the computer and sends information about IP-address of the infected computer. After this, the computer can be used to send spam.

    - dialing utilities– a relatively new type of Trojans, which are utilities dial-up Internet access through expensive postal services. Such Trojans are registered in the system as default dialing utilities and entail huge bills for using the Internet.

    Example. Trojan.Win32.Dialer.a When launched, it dials to the Internet through paid postal services. Does not perform any other actions, including creating keys in the registry, i.e. It doesn't even register as a standard dialer or provide autostart.

    - Browser settings modifiers– Trojans that change the browser start page, search page or other settings, open additional browser windows, imitate clicks on banners, etc.

    Example. Trojan-Clicker.JS.Pretty usually found in html-pages. It opens additional windows with specific web pages and refreshes them at a specified interval.

    - Logic bombs– often not so much Trojans as Trojan components of worms and viruses, the essence of which is to perform a certain action, for example, destruction of data, under certain conditions (date, time of day, user actions, external command).

    Example. Virus.Win9x.CIH, Macro.Word97.Thus.

    Worms and viruses can perform all the same actions as Trojans (see previous paragraph). At the implementation level, these can be either individual Trojan components or built-in functions. In addition, due to their widespread nature, viruses and worms are also characterized by other forms of malicious actions:

    - Overload of communication channels– a type of damage characteristic of worms, associated with the fact that during large-scale epidemics, huge numbers of requests, infected letters or direct copies of the worm are transmitted over Internet channels. In some cases, using Internet services during an epidemic becomes difficult. Example: Net-Worm.Win32.Slammer.

    - DDoS attacks And– due to their widespread nature, worms can be effectively used to implement distributed denial of service attacks ( DDoS attacks). At the height of an epidemic, when millions and even tens of millions of computers are infected, all infected systems accessing a specific Internet resource leads to a complete blocking of this resource. So, during a worm attack MyDoom The site of the company SCO was unavailable for a month. Examples: Net-Worm.Win32.CodeRed.a- not a very successful attack on www.whitehouse.gov, Email-Worm.Win32.Mydoom.a- successful attack on www.sco.com.

    - Data loss– behavior more typical of viruses than of Trojans and worms, associated with the intentional destruction of certain data on the user’s computer. Examples: Virus.Win9x.CIH– deleting starting sectors of disks and contents Flash BIOS; Macro.Word97.Thus– deleting all files on the disk C:; Email-Worm.Win32.Mydoom.e– deleting files with certain extensions depending on the random number counter.

    - Software malfunction– also a trait more characteristic of viruses. Due to errors in the virus code, infected applications may work with errors or not work at all. Example: Net-Worm.Win32.Sasser.a– reboot the infected computer.

    – intensive use of computer resources by malware leads to a decrease in the performance of both the system as a whole and individual applications. Example: to varying degrees - any malicious programs.

    The presence of destructive actions is not at all a mandatory criterion for classifying program code as viral. It should also be noted that the virus can cause colossal damage by the process of self-replication alone. The most striking example is Net-Worm.Win32.Slammer.

    5.1.4. Information security threats

    Let's consider threats to information security from the point of view of viruses. Considering the fact that the total number of viruses as of today exceeds 100,000, analyzing the threats from each of them is too time-consuming and useless a task, since the number of viruses increases daily, which means that the resulting list must be modified daily. In this work, we will assume that the virus is capable of implementing any of the threats to information security.

    There are many ways to classify security threats to information that is processed in automated system. The most commonly used classification of threats is based on their impact on information, namely, violation of confidentiality, integrity and availability.

    For each threat, there are several ways in which viruses can implement it.

    Confidentiality threat:

    Theft of information and its distribution using standard means of communication or hidden channels transmission: Email-Worm.Win32.Sircam– sent arbitrary documents found on an infected computer along with virus copies;

    Theft of access passwords, encryption keys, etc.: any Trojans that steal passwords, Trojan-PSW.Win32.LdPinch.gen;

    Remote control: Backdoor.Win32.NetBus, Email-Worm.Win32. Bagle (backdoor-functionality).

    Integrity threat:

    Modification through destruction or encryption (deletion of certain types of documents): Virus.DOS.OneHalf– encryption of disk contents, Virus.Win32.Gpcode.f– encrypts files with certain extensions, after which it self-destructs, leaving next to the encrypted files coordinates for communication regarding file decryption;

    Modification by low-level destruction of the media (formatting the media, destroying file distribution tables): Virus.MSWord.Melissa.w– December 25 formats the disk C:.

    Availability threat:

    Any activity that results in the inability to access information; various sound and visual effects: Email-Worm.Win32.Bagle.p– blocking access to websites of antivirus companies;

    Disabling a computer by destroying or damaging critical components (destruction Flash BIOS): Virus.Win9x.CIH- damage Flash BIOS.

    As it was easy to see, for each of the above methods of implementing threats, you can give a specific example of a virus that implements one or several methods at the same time.

    Malicious programs differ in their conditions of existence, the technologies used at various stages of the life cycle, and the actual harmful effects - all these factors are the basis for classification. As a result, based on the main (from a historical point of view) characteristic - reproduction - malware is divided into three types: viruses, worms and Trojans.

    Regardless of the type, malware is capable of causing significant damage by implementing any threats to information - threats to violate integrity, confidentiality, and availability. In this regard, when designing complex anti-virus protection systems and even more generally, complex information protection systems, it is necessary to gradate and classify network objects according to the importance of the information processed on them and the likelihood of infecting these nodes with viruses.
    

    2024 gtavrl.ru.