[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2010/04/29 15:08:22

Computer virus

A computer virus is a type of computer program capable of creating copies of itself (not necessarily coinciding with the original) and embedding them in files, system areas of a computer, computer networks, as well as performing other destructive actions. In this case, the copies retain the ability to further distribute. A computer virus refers to malware.

Information Security Solutions and Projects Catalog - Antiviruses are available on TAdviser

Content

Main article: Malware (malware)

The definition of a computer virus is a historically problematic issue, since it is quite difficult to give a clear definition of a virus, while delineating the properties inherent only in viruses and not concerning other software systems. On the contrary, giving a rigid definition of a virus as a program with certain properties almost immediately you can find an example of a virus that does not have such properties.

Another problem associated with the definition of a computer virus lies in the fact that today a virus is most often understood not as a "traditional" virus, but almost any malicious program. This leads to confusion in terminology, complicated by the fact that almost all modern antiviruses are able to detect these types of malware, thus the malware-virus association becomes more and more stable.

Classification

Currently, there is no single system of classification and naming of viruses, however, in various sources you can find different classifications, let's give some of them:

Classification of viruses by method of infection

Resident

Such viruses, having received control, somehow remain in memory and search for victims continuously, until the environment in which it is running is completed. With the transition to Windows, the problem of remaining in memory ceased to be relevant: almost all viruses executed in the Windows environment, as well as in the Microsoft Office application environment, are resident viruses. Accordingly, the resident attribute applies only to file DOS viruses. The existence of non-resident Windows viruses is possible, but in practice they are a rare exception.

Non-resident

Having received control, such a virus performs a one-time search for victims, and then transfers control to the object associated with it (infected object). This type of virus includes script viruses.

Virus Classification by Exposure

Harmless

Viruses do not affect the operation of the computer in any way (except for reducing the free memory on the disk as a result of their spread);

Harmless

Viruses that do not interfere with the operation of a computer, but reduce the amount of free RAM and memory on disks, the actions of such viruses appear in any graphic or sound effects;

Dangerous

Viruses that can lead to various malfunctions in the computer;

Very dangerous

Viruses, the effects of which can lead to the loss of programs, destruction of data, erasure of information in system areas of the disk.

Virus Classification by Masking Method

When creating copies for masking, the following technologies can be used:

Encryption - a virus consists of two functional pieces: the virus itself and the encryptor. Each copy of the virus consists of an encryptor, a random key and the virus itself encrypted with this key.

Metamorphism - creating various copies of the virus by replacing blocks of commands with equivalent ones, rearranging pieces of code, inserting "garbage" commands between significant pieces of code that do practically nothing.

Encrypted virus

This is a virus that uses simple encryption with a random key and an invariable encryptor. Such viruses are easily detected by the signature of the encryptor.

Virus encoder

In most cases, the ransomware virus comes by e-mail as an attachment from an unfamiliar person to the user, and possibly on behalf of a well-known bank or operating large organization. Letters come with the heading of the form: "Reconciliation Act...," "Your debt to the bank...," "Verification of registration data," "Summary," "Blocking of the current account" and so on. The letter contains an attachment with documents allegedly confirming the fact indicated in the title or body of the letter. When this attachment is opened, the ransomware virus is instantly launched, which imperceptibly and instantly encrypts all documents. The user will detect an infection after seeing that all files that previously had familiar icons will be displayed with icons of an unknown type. Money will be requested for the decryption by the criminal. But, often, even paying an attacker, the chances of recovering data are negligible.

Attachments of malicious emails are most often in the archives.zip,.rar,.7z. And if the file extension display function is disabled in the computer system settings, then the user (recipient of the letter) will see only files of the form "Document.doc," "Act.xls" and the like. In other words, the files will seem completely harmless. But if you turn on the display of the file extension, you will immediately see that these are not documents, but executable programs or scripts, the file names will take on a different form, for example, "Document.doc.exe" or "Act.xls.js." When such files are opened, it is not the opening of the document that occurs, but the launch of the ransomware virus. Here is just a short list of the most popular "dangerous" file extensions:.exe,.com,.js,.wbs,.hta,.bat,.cmd. Therefore, if the user does not know what was sent to him in the attachment, or the sender is not familiar, then, most likely, the letter contains a ransomware virus.

In practice, there are cases of receiving by e-mail a regular 'Word' (with a.doc extension) file, inside which, in addition to text, there is an image, a hyperlink (to an unknown site on the Internet) or an embedded OLE object. When you click on such an object, immediate infection occurs.

Ransomware viruses have gained great popularity since 2013. In June 2013, a prominent company McAfee released data showing that they collected 250,000 unique examples of ransomware viruses in the first quarter of 2013, more than double the number of viruses detected in the first quarter of 2012.

In 2016, these viruses reached a new level, changing the principle of operation. In April 2016, information appeared on the network about a new type of Petya ransomware virus , which, instead of encrypting individual files, encrypts the MFT table of the file system, which leads to the fact that the operating system cannot detect files on disk and the entire disk is actually encrypted.

Polymorphic virus

A virus that uses a metamorphic encoder to encrypt the main body of a virus with a random key. At the same time, part of the information used to obtain new copies of the encryptor can also be encrypted. For example, a virus can implement several encryption algorithms and, when creating a new copy, change not only the encryption commands, but also the algorithm itself.

Virus classification by habitat

"Habitat" refers to the system areas of a computer, operating systems or applications into the components (files) of which virus code is embedded. By habitat, viruses can be divided into:

  • loading;
  • file
  • macro viruses;
  • script viruses.

In the virus era, hybrid file-boot viruses were often encountered for DOS. After the massive transition to operating systems of the Windows family, both boot viruses themselves and the aforementioned hybrids practically disappeared. Separately, it is worth noting the fact that viruses calculated to work in the environment of a certain OS or application turn out to be inoperable in the environment of other OS and applications. Therefore, the environment in which it can be executed is distinguished as a separate attribute of the virus. For file viruses, these are DOS, Windows, Linux, MacOS, OS/2. For macro viruses - Word, Excel, PowerPoint, Office. Sometimes the virus needs some specific version of the OS or application to work correctly, then the attribute is specified more narrowly: Win9x, Excel97.

File viruses

File viruses, when multiplying in one way or another, use the file system of some (or any) OS. They are:

  • are injected into executable files in various ways (the most common type of virus);
  • create twin files (companion viruses);
  • create their own copies in different catalogs;
  • use the features of organizing a file system (link viruses).

Everything connected to the Internet needs antivirus protection: 82% of viruses detected were "hidden" in PHP, HTML and EXE files.

The number of malware is steadily growing and may soon reach the scale of the epidemic. The spread of viruses in the digital world has no borders, and even with all the opportunities available, it is no longer possible to neutralize the activities of the criminal cyber community today. It is becoming more and more difficult to deal with hackers and virus writers who tirelessly improve their skills. Thus, attackers have learned to successfully hide digital channels for the spread of threats, which greatly complicates the tracking and analysis of their online movement. Distribution routes are also changing, if earlier cybercriminals preferred email to spread viruses, today real-time attacks are taking the lead. There is also an increase in malicious web applications that turned out to be more than suitable for attackers. Today, hackers have learned to successfully evade detection by traditional antivirus signatures, which for a number of reasons are doomed to failure when it comes to detecting web threats, said Govind Rammurthy, CEO and Managing Director of eScan MicroWorld. Judging by the samples examined in eScan, web threats prevail among malware. 82% of detected malware is PHP, HTML and EXE files, and MP3, CSS and PNG files are less than 1%.

This clearly suggests that the choice of hackers is the Internet, not attacks using software vulnerabilities. Threats are polymorphic in nature, meaning malware can be effectively transcoded remotely, making them difficult to detect. Therefore, the high probability of infection is associated, among other things, with site visits. According to eScan MicroWorld, the number of redirecting links and hidden downloads (drive-by-download) on hacked resources has increased by more than 20% over the past two months. Social media is also seriously expanding the ability to deliver threats.

Take, for example, a banner circulating on Facebook that invited the user to change the color of the page to red, blue, yellow, etc. The tempting banner contained a link that directed the user to a fraudulent site. There, confidential information fell into the hands of attackers, which was used or sold to make illegal profits to various Internet organizations. Thus, antiviruses based on traditional signatures are ineffective today, since they cannot reliably protect against web threats in real time. An antivirus that is based on cloud technologies and receives information about threats from the "cloud" can do these tasks.

Boot viruses

MosaicRegressor (virus)

Boot viruses write themselves either to the boot sector of the disk (boot sector), or to the sector containing the Master Boot Record, or change the pointer to the active boot sector. This type of virus was quite common in the 1990s, but almost disappeared with the transition to 32-bit operating systems and the refusal to use floppy disks as the main way to exchange information. Theoretically, it is possible to have boot viruses that infect CDs and USB flash drives, but at the moment such viruses have not been detected.

Macro viruses

Many table and graphics editors, design systems, word processors have their own macro languages ​ ​ to automate the execution of repetitive actions. These macro languages often have a complex structure and an advanced instruction set. Macro viruses are programs in macro languages ​ ​ built into such data processing systems. For their reproduction, viruses of this class use the capabilities of macro languages ​ ​ and with their help transfer themselves from one infected file (document or table) to others.

Script viruses

Script viruses, as well as macro viruses, are a subgroup of file viruses. These viruses are written in various script languages ​ ​ (VBS, JS, BAT, PHP, etc.). They either infect other script programs (MS command and service files Windows or), Linux or are parts of multi-component viruses. Also, these viruses can infect files of other formats (for example, HTML), if scripts can be executed in them.

Classifying viruses by how files are infected

Rewriting

This method of infection is the simplest: the virus writes its code instead of the code of the infected file, destroying its contents. Naturally, the file stops working and does not recover. Such viruses detect themselves very quickly, since the operating system and applications stop working quite quickly.

Parasitic

Parasitic include all file viruses, which, when distributing their copies, necessarily change the contents of the files, leaving the files themselves fully or partially functional. The main types of such viruses are viruses that write to the beginning of files (prepending), to the end of files (appending) and to the middle of files (inserting). In turn, viruses are injected into the middle of files by various methods - by transferring a part of the file to its end or copying its code into deliberately unused file data (cavity viruses).

Virus injection at the beginning of the file

Two methods of introducing a parasitic file virus into the beginning of a file are known. The first method is that the virus rewrites the beginning of the infected file to its end, and copies itself to the vacant place. When a file is infected in the second way, the virus adds the infected file to its body.

Thus, when the infected file is run, the virus code is first managed. At the same time, viruses, in order to keep the program working, either treat the infected file, re-run it, wait for the end of its work and write it back to its beginning (sometimes a temporary file is used for this, in which a neutralized file is written), or restore the program code in the computer's memory and configure the necessary addresses in its body (i.e. duplicate the operation of the OS).

Embedding a virus at the end of the file

The most common way to inject a virus into a file is to add the virus to its end. In this case, the virus changes the beginning of the file so that the first executable commands of the program contained in the file are virus commands. In order to get control at the start of the file, the virus corrects the start address of the program (entry point address). To do this, the virus makes the necessary changes to the file header.

Virus injection in the middle of the file

There are several methods to embed a virus in the middle of a file. In the simplest of them, the virus transfers part of the file to its end or "pushes" the file and writes its code to the empty space. This method is very similar to the methods listed above. Some viruses at the same time compress the transferred block of the file so that the length of the file does not change during infection.

The second is the "cavity" method, in which a virus is written to deliberately unused areas of the file. The virus can be copied to the unused header areas of an EXE file, to "holes" between sections of EXE files, or to the text message area of ​ ​ popular compilers. There are viruses infecting only those files that contain blocks filled with any constant byte, with the virus writing its code instead of such a block.

In addition, copying a virus to the middle of the file can occur as a result of a virus error, in which case the file can be irreversibly corrupted.

Viruses without an entry point

Separately, a rather insignificant group of viruses that do not have an "entry point" (EPO viruses - Entry Point Obscuring viruses) should be noted. These include viruses that do not change the start point address in the EXE file header. Such viruses write a command to go to their code in any place in the middle of the file and receive control not directly when starting the infected file, but when calling a procedure containing the control transfer code to the body of the virus. Moreover, this procedure can be performed extremely rarely (for example, when displaying a message about any specific error). As a result, the virus can "sleep" inside the file for many years and jump free only under some limited conditions.

Before writing a command to go to your code in the middle of the file, the virus must select the "correct" address in the file - otherwise the infected file may be corrupted. Several methods are known by which viruses define such addresses within files, such as searching a file for a sequence of standard code for programming language (C/Pascal) procedure headers, disassembling the file code, or replacing the addresses of imported functions.

Viruses partners

Companion viruses include viruses that do not modify infected files. The algorithm for the operation of these viruses is that a twin file is created for the infected file, and when the infected file is launched, it is this twin that gets control, that is, virus.

Viruses of this type include those that, when infected, rename the file to some other name, remember it (for the subsequent launch of the host file) and write their code to disk under the name of the infected file. For example, NOTEPAD.EXE is renamed NOTEPAD.EXD, and the virus is written under the name NOTEPAD.EXE. When started, the control gets the virus code, which then runs the original NOTEPAD.

Other types of companion viruses that use other original ideas or features of other operating systems may exist. For example, PATH companions who place their copies in the main Windows cathagogue using the fact that this directory is the first in the PATH list, and files to run Windows will primarily be searched in it. Many computer worms and Trojan programs also use this self-starting method.

Viruses references

Link viruses or link viruses do not change the physical contents of files, but when you start an infected file, they "force" the OS to execute its code. They achieve this goal by modifying the required file system fields.

File worms

File worms do not in any way associate their presence with any executable file. When multiplying, they only copy their code to any disk directories in the hope that these new copies will ever be started by the user. Sometimes these viruses give their copies "special" names to push the user to run their copy - for example, INSTALL.EXE or WINSTART.BAT.

Some file worms can write their copies to archives (ARJ, ZIP, RAR). Others write the command to run the infected file into BAT files.

OBJ-, LIB-viruses and viruses in source texts

Viruses that infect compiler libraries, object modules and program sources are quite exotic and practically not common. There are about a dozen of them in total. Viruses that infect OBJ- and LIB-files write their code to them in the format of an object module or library. The infected file is thus not executable and is incapable of further spreading the virus in its current state. The carrier of the "live" virus is the COM or EXE file obtained during the linking of the infected OBJ/LIB file with other object modules and libraries. Thus, the virus spreads in two stages: on the first, OBJ/LIB files are infected, at the second stage (linking) a workable virus is obtained.

Infection of the source code of the programs is a logical continuation of the previous reproduction method. In this case, the virus adds its source code to the source texts (in this case, the virus must contain it in its body) or its hexadecimal dump (which is technically easier). The infected file is capable of further spreading the virus only after compilation and linking.

Bootkit

Main article: Bootkit (Bootkit)

Distribution

Unlike worms (network worms), viruses do not use network services to penetrate other computers. A copy of the virus enters remote computers only if the infected object is activated on another computer for some reason that does not depend on the functionality of the virus, for example:

  • When the available disks are infected, the virus penetrates the files located on the network resource.
  • the virus copied itself to removable media or infected files on it;
  • the user sent an email with an infected attachment.

Interesting facts

Kaspersky Lab specialists prepared in the summer of 2012 a list of the 15 most notable malicious programs that have left their mark on history:

  • 1986 Brian - the first computer virus; it was distributed by writing its own code to the boot sector of floppy disks.
  • 1988 Morris worm infected about 10% of computers connected to the Internet (i.e. about 600 computers).
  • 1992 Michelangelo - the first virus to attract media attention.
  • 1995 Concept - the first macro virus.
  • 1999 Melissa marked the onset of an era of massive malware mailings leading to global epidemics.
  • On April 26, 1999, the first global computer disaster occurred. The virus "Chernobyl" or CIH programmers, except that, did not scare their children. According to various sources, about half a million computers around the world were affected, and never before that moment were the consequences of virus epidemics so large and were not accompanied by such serious losses
  • 2003 Slammer is a fileless worm that has caused a large-scale epidemic around the world.
  • 2004 Cabir - the first experimental virus for Symbian; distributed via Bluetooth.
  • 2006 Leap is the first virus for the Mac OSX platform.
  • 2007 Storm Worm [Zhelatin] - for the first time used distributed command servers to manage infected computers.
  • 2008 Koobface is the first virus to purposefully attack users of the social network Facebook.
  • 2008 Conficker - a computer worm that caused one of the largest epidemics in history, as a result of which computers of companies, home users and government organizations in more than 200 countries were infected.
  • 2010 FakePlayer is an SMS Trojan for Android smartphones.
  • 2010 Stuxnet - a worm with which a targeted attack on SCADA (Supervisory Control And Data Acquisition) systems was carried out, marking the beginning of the era of cyber warfare.
  • 2011 Duqu is a complex Trojan program that collects information from industrial facilities.
  • 2012 Flame is a complex malware that is actively used in several countries as a cyber weapon. In terms of complexity and functionality, the malware surpasses all previously known types of threats.

Panda Security: 2010 Virus Ranking

  • Evil Mac lover: This name was given to a remote access program with the frightening name RebelAda (HellRaiser.A). It only affects Mac systems and requires user permission to install on a computer. If the victim installs it, the program will receive full remote access to the computer and will be able to perform a number of functions... up to opening the drive!
  • Good Samaritan: Surely some have already guessed what this is about... This is a Bredolab.Y file. It is disguised as a Microsoft support message that alerts you to urgently install a new security patch for Outlook... But be careful! If you download the proposed file, a fake Security Tool will automatically be installed on your computer, which will warn you about a system infection and the need to buy a security solution to combat the virus. If you pay for the proposed program, then, of course, you will never receive it, it will not solve your problem, and you will not return the money.
  • Linguist of the Year: Without a doubt, times are difficult... And hackers are increasingly forced to adapt to new trends and do everything possible to catch the next victim. The tricks they are ready to go to deceive users know no boundaries! To do this, they are even ready to learn foreign languages. So we decided to award the Linguist of the Year award to a virus called MSNWorm.IE. This virus, which itself is nothing special, is spread through messaging programs, inviting users to see any photo... in 18 languages! Although the emoji at the end remains universal ": D..."

So, if you want to find out how to say "Watch a photo" in another language, this list will save you time:

Spanish: mira esta fotografia: D
English: seen this??: D
look at this picture :D
Portuguese: olhar para esta foto: D
French: regardez cette photo: D
German: schau mal das foto an: D
Italian: guardare quest'immagine: D
German: bekijk deze foto: D
Swedish: titta pσ min bild: D
Danish: ser pσ dette billede: D
Norwegian: se pσ dette bildet: D
Finnish: katso tΣtΣ kuvaa: D
Slovenian: poglej to fotografijo: D
Slovak: pozrite sa na tto fotografiu: D
Czech: podφvejte se na mou fotku: D
Polsky: spojrzec na to zdjecie: D
Romanian: uita-te la aceasta fotografie: D
Vengersky: nΘzd meg a kΘpet:D
Turkish: bu resmi bakmak: D
  • Most daring: In 2010, Stuxnet.A receives this award. If it were necessary to pick up the soundtrack to this threat, it would be something like "Mission Impossible" or "Svyatosh." This malicious code was designed to attack dispatch control and data collection systems, i.e. critical infrastructures. Worm exploits Microsoft USB security flaw to gain access to nuclear power plant core itself... Sounds like the plot of a Hollywood movie!
  • Most annoying: Remember what viruses used to be? Having infected your computer once, they constantly asked: "Are you sure you want to finish working with the program? - Yes - No?" Regardless of your answer, the same question has appeared over and over again: "Are you sure you want to finish working with the program?," Capable of upsetting even a saint... This is how the most annoying worm of 2010 - Oscarbot.YQ. Once installed, you can start praying, meditating, or sitting in a yoga position because it will drive you crazy. Every time you try to close the program, you will see a window with a different question, and more, and more... Most annoying of all, it's inevitable.
  • Safest worm: Clippo.A. This name may remind some users of the name Clippy (Clip) - the nickname of the assistant in Microsoft Office in the form of a paper clip. It is the safest worm in existence. After installation on the computer, it protects all documents with a password. Thus, when the user tries to reopen the document, he will not be able to do so without a password. Why does the virus do this? The most interesting thing is just like that! No one offers to buy a password or purchase an antivirus. It's done simply to annoy you. However, those users who have been infected are not funny at all, since there are no visible symptoms of infection.
  • Victim of the crisis: Ramsom.AB. The economic crisis has affected many people around the world, including cyber criminals. A few years ago, the so-called "ransomware" (viruses that block a computer and ask for a ransom) demanded more than $300 for unlocking. Now, due to the crisis, recession and competition among cyber scammers, victims are invited to buy their computer for just $12. Difficult times have come.... even almost pathetic to hackers.
  • The most economical: in 2010, SecurityEssentials2010 became the winner in this nomination (of course, a fake, not an official MS antivirus). This malicious code acts like any other fake antivirus. He informs the user that his computer was attacked by viruses and can only be saved by buying this antivirus. The design of the fake antivirus is very convincing: the messages, the windows look very believable. So be careful! And don't take your word for it.

Concluding the "Virus Rating 2010," we would like to emphasize the "Insect of the Year": the Mariposa botnet, which appeared in March 2010. Recall that Mariposa infected about 13 million computers around the world. However, thanks to the cooperation of Panda Security, the Spanish Civil Guard, the FBI and military intelligence, the creators of this botnet were arrested.

Links