CPIC (
CLASSES OF MALICIOUS SOFTWARE
Two Two of the most common types of malware malware are viruses and worms. These types of programs programs are able to self-repli self-replicate cate and can spread spread copies copies of themselv themselves, es, which which might might even be modied modied copies. To To be clas classi sie ed d as a viru virus s or wor worm, malw malwar are e must must have have the the abil abilit ity y to prop propag agat ate. e. The The die dierrence ence is that that a wor worm oper operat ates es mor more or less less inde indepe pend nden entl tly y of othe otherr les les,, wher wherea eas s a viru virus s depe depend nds s on a host host program to spread itself. These and other classes of malicious software are described describe d below. Viruses A comp comput uter er viru virus s is a type type of malw malwar are e that that prop propag agat ates es by inser insertin ting g a copy copy of itsel itselff into into and becomi becoming ng part part of anothe anotherr prog program ram.. It spread spreads s from from one one comp compute uterr to anoth another, er, leavin leaving g infections infections as it travels. •
Worms Comp Co mpute uterr wor worms are are simil similar ar to viru viruses ses in that that they they repl replica icate te functional copies of themselves and can cause the same type of damage. •
•
•
In contrast to viruses, which reuire the spreading of an infected host le, worms are standalone software and do not reuire a host program or human help to propagate. To To spread, spread, worms worms either e!ploit e!ploit a vulnerability vulnerability on the target target system or use some "ind of social engineering to engineering to tric" users into e!ecuting them.
Trojans A Tro#an is another type of malware named after the wooden horse the t he $ree"s used to inltrate Troy. roy. •
•
•
•
•
It is a harmful piece of software that loo"s legitimate. %sers are typically tric"ed into loading and e!ecuting it on their systems. After it is activated, it can achieve any number of attac"s on the host, from irritating the user &popping up windows or changing des"tops' to damaging the host &deleting les, stealing data, or activating and spreading other malware, such as viruses'. Tro#an Tro#ans s are also "nown to create bac" doors to give malicious malicious users access to the system. %nli"e viruses and worms, Tro#ans do not reproduce by infecting other les nor do they self-replicate. Tro#ans must spread through user user inte intera ract ctio ion n such such as open openin ing g an e-ma e-mail il atta attach chme ment nt or downloading and running a le from the Internet.
CPIC 6
Bots •
•
)*ot) is derived from the word )robot) and is an automated process that interacts with other networ" services. *ots often automate tas"s and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information &such as web crawlers', or interact automatically with instant messaging &I+', Internet elay Chat &IC', or other web interfaces. They may also be used to interact dynamically with websites. *ots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect bac" to a central server or servers that act as a command and control &CC' center for an entire networ" of compromised devices, or )botnet.)
Best Practices for Combatin Viruses! Worms! Trojans! an" Bots The rst steps to protecting your computer are to ensure that your / is up to date. This means regularly applying the most recent patches and !es recommended by the / vendor. •
•
•
/econdly, you should have antivirus software installed on your system and download updates freuently to ensure that your software has the latest !es for new viruses, worms, Tro#ans, and bots. Additionally, you want to ma"e sure that your antivirus program can scan e-mail and les as they are downloaded from the Internet. This will help prevent malicious programs from reaching your computer. 0ou may also want to consider installing a rewall.
SP#WARE S$%&are is software that aids in gathering information about a person or organi1ation without their "nowledge and that may send such information to another entity without the consumer2s consent, or that asserts control over a computer without the consumer2s "nowledge. 3(4
)/pyware) is mostly classied into four types5 system monitors, tro#ans, adware, and trac"ing coo"ies. 364 /pyware is mostly used for the purposes of trac"ing and storing Internet users2 movements on the 7eb and serving up pop-up ads to Internet users. A""itiona' (e)nitions an" References
CPIC >
E*$'oit An e!ploit is a piece of software, a command, or a methodology that attac"s a particular security vulnerability. 8!ploits are not always malicious in intent9they are sometimes used only as a way of demonstrating that a vulnerability e!ists. :owever, they are a common component of malware. Bac+ (oor A bac" door is an undocumented way of accessing a system, bypassing the normal authentication mechanisms. /ome bac" doors are placed in the software by the original programmer and others are placed on systems through a system compromise, such as a virus or worm. %sually, attac"ers use bac" doors for easier and continued access to a system after it has been compromised. COMPUTER VIRUS is
a program which is to damage or sabotage the computer as well as the computer les. It is also designed to attach itself to other program and replicate by itself. T,e (IFFERE-T CLASSIFICATIO- OF VIRUS PRO.RAM
(. *oot sector ;irus is a computer virus which has the ability to damage the master boot record of the :ard . +acro ;irus a virus type that can infect document which are created on +icrosoft ?ce professional programs. @. ogical virus a virus that has the ability to delete the host le and create new infected les. B. Tro#an virus a virus type that has the ability to reformat your :<< and reprogram your computer *I/. . /leeping virus &ive and
CPIC @
((. /tealth virus &buered virus' is a virus type that the ability to intercept the interrupt table of the computer which is located at the beginning of the computer memory. They have also the ability to control the system by redirecting the interrupt calls and has the ability to hide to escape from detection. /OW (OES A VIRUS I-FECT A PRO.RAM0 T&o $,ases of infection1 •
•
Action the virus program must be e!ecuted by the user or e!ecutes by itself, and attach its structure to the computers memory for further infections. eplicate a virus program produces an infected program or le.
+ar"er bytes the information located at the beginning of a les which can be determined by the virus program whether that le is can be infected or not. ;irus signature a byte added by the virus which indicates that le is an infected le. C/ARACTERISTICS OF VIRUS
(. A virus program can modify other program by binding its structures into this program. 6. A virus program can e!ecute the modication on a number of programs. >. A virus program can recogni1e the modication done by other virus. @. A virus program can prevent further modication upon recognition. B. A virus program can damage computer peripherals and les. PROTECTIO- STRATE.IES
(. 6. >. @. B. .
Always bac"up your les =urchase and use virus detection softwares *e careful of downloaded les from the internet *e careful of shareware softwareHs =urchase your software only from dependable developer
CPIC B
D.
(. 6. >. @. B.
8mail attachment Internet
TOP TE- MOST (ESTRUCTIVE COMPUTER VIRUS
23 ILOVE#OU 456667 Estimated Damage: 10 to 15 billion dollars
Also "nown as oveletter and The ove *ug, this was a ;isual *asic script with an ingenious and irresistible hoo"5 the promise of love. n +ay >, 6GGG, the I;80% worm was rst detected in :ong Kong. The bug was transmitted via e-mail with the sub#ect line )I;80%) and an attachment, ove-etter-Mor-0ou.TJT.vbs. /imilar to +elissa, the virus mailed itself to all +icrosoft utloo" contacts.
The virus also too" the liberty of overwriting music les, image les, and others with a copy of itself. +ore disturbingly, it searched out user I
CPIC
The /obig worm hit right on the heels of *laster, ma"ing August 6GG> a miserable month for corporate and home =C users. The most destructive variant was /obig.M, which spread so rapidly on August (F that it set a record &which would later be bro"en by +y
n /eptember (G, 6GG>, the virus deactivated itself and is no longer a threat. +icrosoft &L/. *laster &6GG>' Estimated Damage: 2 to 10 billion dollars, hundreds of thousands of infected PCs
The summer of 6GG> was a rough time for businesses running =Cs. In rapid succession, IT professionals witnessed the unleashing of both the *laster and /obig worms. *laster, also "nown as ovsan or +/*last, was the rst to hit. The virus was detected on August (( and spread rapidly, pea"ing in #ust two days. Transmitted via networ" and Internet tra?c, this worm e!ploited a vulnerability in 7indows 6GGG and 7indows J=, and when activated, presented the =C user with a menacing dialog bo! indicating that a system shutdown was imminent. :idden in the code of +/*A/T.8J8 -- the virus2 e!ecutable ) were these messages5 )I #ust want to say ;8 0% /ALQQ) and )billy gates why do you ma"e this possibleR /top ma"ing money and ! your softwareQQ)
The virus also contained code that would trigger a distributed denial of service attac" on windowsupdate.com on April (B, but *laster had already pea"ed and was mostly contained by then.
CPIC D
@. Code ed Estimated Damage: 2.6 billion dollars
Code ed was a computer worm that was unleashed on networ" servers on Suly (>, 6GG(. It was a particularly virulent bug because of its target5 computers running+icrosoft &L/
93 CI/ 42::;7
Estimate" (amae< 6G to EG million dollars worldwide, countless data amounts of =C destroyed
%nleashed from Taiwan in Sune of (FFE, CI: is recogni1ed as one of the most dangerous and destructive viruses ever. The virus infected 7indows FB, FE, and +8 e!ecutable les and was able to remain resident in a =C2s memory, where it continued to infect other e!ecutables. 7hat made CI: so dangerous is that, shortly after activated, it would overwrite data on the host =C2s hard drive, rendering it inoperable. It was also capable of overwriting the *I/ of the host, preventing boot-up. *ecause it infected e!ecutable les, CI: wound up being distributed by numerous software distributors, including a demo version of an Activision game named /in. CI: is also "nown as the Chernobyl virus because the trigger date of certain strains of the virus coincides with the date of the Chernobyl nuclear reactor accident. The virus is not a serious threat today, than"s to increased awareness and the widespread migration to 7indows 6GGG, J=, and LT, none of which are vulnerable to CI:.
CPIC E
=3 Me'issa 42:::7 Estimated Damage: 300 to 600 million dollars
n Mriday, +arch 6, (FFF, 7FD++elissa became front-page news across the globe. 8stimates have indicated that this 7ord macro script infected (B to 6G percent of all business =Cs. The virus spread so rapidly thatIntel &L/
>3 S?L S'ammer 456687
Estimated Damage: Because SQ Slammer eru!ted on a Saturda", the dama#e $as lo$ in dollars and cents. %o$ever, it hit 500,000 servers $orld$ide, and actuall" shut do$n South &orea's online ca!acit" for 12 hours
/O /lammer, also "nown as /apphire, was launched on Sanuary 6B, 6GG>. It was a doo1y of a worm that had a noticeable negative impact upon global Internet tra?c. Interestingly enough, it didn2t see" out end users2 =Cs. Instead, the target was servers. The virus was a single-pac"et, >D-byte worm that generated random I= addresses and sent itself to those I= addresses. If the I= address was a computer running an unpatched copy of +icrosoft2s /O /erver
CPIC F
;3 BA.LE 4566@7 Estimated Damage: (ens of millions of dollars...and countin#
*agle, a classic but sophisticated worm, made its debut on Sanuary (E, 6GG@. The malicious code infected users2 systems via the traditional mechanism -- an e-mail attachment -- and then scoured 7indows les for e-mail addresses it could use to replicate itself. The real danger of *agle &a.".a. *eagle' and its G to (GG variants is that, when the worm infects a =C, it opens a bac" door to a TC= port that can be used by remote users and applications to access data -nancial, personal, anything -- on the infected system. According to an April 6GGB Tech7eb story, the worm is )usually credited with starting the malware-for-prot movement among hac"ers, who prior to the ground-brea"ing worm, typically were motivated by notoriety.) The *agle.* variant was designed to stop spreading after Sanuary 6E, 6GG@, but numerous other variants of the virus continue to plague users to this day. :3 M#(OOM 4566@7 Estimated Damage: )t its !ea*, slo$ed #lobal +nternet !erformance b" 10 !ercent and eb load times b" u! to 50 !ercent
Mor a period of a few hours on Sanuary 6, 6GG@, the +y
/asser &6GG@'
Estimated Damage: (ens of millions of dollars
CPIC (G
/asser began spreading on April >G, 6GG@, and was destructive enough to shut down the satellite communications for some Mrench news agencies. It also resulted in the cancellation of several
/asser was written by a (D-year-old $erman high school student, who released the virus on his (Eth birthday. *ecause he wrote the code when he was a minor, a $erman court found him guilty of computer sabotage but gave him a suspended sentence.
