Transcript Chapter 1

Chapter 1
Viruses: Attack of the Malicious Programs
What is a virus?
What is a virus?
A computer virus is a malicious computer program
that, when executed by an unsuspecting human,
performs tasks that primarily include replicating
itself and deploying a payload.
What is a virus?
A computer virus is a malicious program..
–
Written by somebody who is up to no good
that, when executed by an unsuspecting human
–
Viruses need human help, usually, the human is
tricked into starting the virus.
performs tasks that include replicating itself
and deploying a payload
–
(next slide)
Some possible virus payloads
•
jokes/vandalism
•
Data destruction/corruption
•
Spam distribution
•
Data/information theft
•
Hijacking
•
Ransomware
•
Virus and spyware distribution
Kinds of malware

Viruses

Macro Viruses

Memory-resident viruses

File infector viruses

Boot Viruses

Trojan Horses

Hoaxes

Worms
Macro viruses
•
Macros are command sequences available in
many systems; word is one, excel is another.
•
A macro can eploy a virus, just like any other
executable.
•
The often come with email attachments.
•
They can open/close/write/destroy files.
•
If they destroy your registry, your computer will
not boot!
•
Best: turn off the capability to run macros by
default.
Turning off macros
•
Office 2003:
–
•
Tools → Options → Security tab. In macro
security, click Macro security button, click
security level tab, and choose a level. The book
recommends medium setting.
Office 2007:
–
Office button → <product> Options → Trust
Center, click trust center setting button. Choose
the macro setting you want: recommended:
Disable all macros with Notification.
Memory Resident Viruses
•
Memory resident viruses load into RAM when
activated and stay there; though they will
disappear when the machine is turned off, the
often set up a mechanism so they reappear
when the machine is rebooted.
•
They slow down the computer and can
damage data and system files and may stop
the computer from running correctly.
File infector viruses
•
These are files that attach to program files
(files called *.EXE or *.COM)
•
They have access to anything the original
program has and can damage any of them,
ergo, the whole computer (software).
Boot Viruses
•
These are viruses which “hide” the boot area
of a disk/floppy. The may render the disk
useless as a bootable disk.
Trojan Horses
•
Trojan Horses are viruses that are inside other
(interesting) programs; you run the program
and launch the virus at the same time.
Multi-Partite Viruses
•
They just combine all of the above.
Hoaxes
•
Letters that warn you about viruses that aren't
•
Threaten catastrophe
•
Reference a technology authority like IBM,
Microsoft or the FBI.
•
Ask that it be resnt, probably several times.
•
Usually a Google Search will reveal the hoax.
•
Other sites to look: www.f-secure.com/virusinfo/hoax and www.snopes.com
Worms
•
These are malware that goes from computer
to computer withut human intervention.
•
Besides other ill-effects, they often clog
networks looking for computers to infect.
Some avoidance tips

Install an anti-virus program and keep it up to date

McAfee or AVG from http://free.grisoft.com/

Be wary of unexpected links and attachments

Don't use P2P/BitTorrent

Never turn off your anti-virus or your firewall.

Check thumb drives, floppies, burned CDs and DVDs

Don't accept files from unknown people when using
Internet Chat programs such as MSN Messenger, IM,
Yahoo Messenger, IRC.
Symptoms of a sick System

Frequent crashes and system restarts

slow/erratic performance

Broken/erratic internet connection

An active internet connection in an otherwise
idle computer

Stuff in your sent folder you didn't send.

Missing or corrupt data/files.
What to do?



Update your antivirus software.
Disconnect from the internet: turn off your
modem/router and wireless. (Quarantine every
computer)
If your antivirus found the virus and cleaned it,
you are fine, otherwise:

Boot into safe mode

Do a system virus scan. Repeat until clean.
If you cannot get on the Internet...

Your virus may have fiddled with a file called HOSTS

Its full name is:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
on most systems (XP and VISTA, probably Windows 7 also).

Its contents should only be:
127.0.0.1
localhost
and (in Vista, Windows 7):
::1


localhost
There may be some lines with ipv6xx names on them, they are
OK.
Edit the file with Notepad
Operating System Security Features




KEEP YOUR OS UP TO DATE; set it to check for
updates periodically (at least once a week).
Install and run antivirus software; keep it up to date (it
should update automatically).
Keep your Firewall operational.
In Vista and Windows 7, (and in the MAC), every time
some program tries to change the system in some
significant fashion, a window prompt appears. Called
UAC in Windows, it can be turned off. DON'T
More System Security Features


Be sure to set up all accounts as STANDARD
accounts; have a special Administrator account
(hopefully called something else) for admin tasks.
Windows has something called Data Execution
Prevention (DEP). To set:

In XP: use sysdm.cpl, Advanced, performance, click on
Settings and choose the level.

In Vista/Windows 7: system, Advanced System Setting,
Advanced Tab, Settings, DEP settings.
Viruses on Other devices


On the MAC: before OS X there were about 60-80
viruses.; only a handful for OS X. So, not a real
problem; however:

PC viruses can happily live (dormant) in MAC files.

Newer MACs can run Windows, and there, all bets are
off.
Unix/Linux have seen a handful of Virus, none for
monetary gain. It is possible, now, to run Windows in
Linux, so, again, the Caveat above applies. Also, PC
viruses can exist in any file.
Viruses in Phones/PDAs


Attacks against cell phones: Through SMS messages. The possibility existed.
Otherwise
Five kinds of devices:

Symbian


RIM (Blackberrys)


None known, unless the phone is “jailbroken”
Windows Mobile Phones


None known
Iphones, etc.


Handful, spread through Bluetooth
Too new.
Android

Some apps have been malicious, but not been able to spread.
If your virus doesn't remove,try:

http://www.sarc.com/avcenter/tools.list.html

http://us.mcafee.com/virusinfo/default.asp?id=vrt.

http://www.kaspersky.com/removaltools



http://www.bitdefender.com/site/Download/browseFree
RemovalTool/
http://www.f-secure.com/downloadpurchase/tools.shtml
http://www.microsoft.com/security/malwareremove/