Monday, August 13, 2007
Do u Want Latest And New Softwares
Hi here Is The beautiful web site for u to download the softwares of all kinds.Fro this site u can get all the softwares u want for Home and Office purpose Up to ur Need. www.Download.com Which is Having Trail,Free and full versions of the software u want
To Check IP Adresses Online
Hi if u want to check the ip adress details and trace the ips of the sites u are using.This is the site for u to completly monitor the Network.I am Dam sure that this Online site is usefull For every people who are studying.Looking to know and interseting Persons about Networking www.dnsstuff.com
Networking Tips
Are u looking for tips and tricks for the windows server 2003/200/xp/Nt.By the site u can get all the administrator knowledge and it is mostly usefull for Adminitrators.And a normal person can also browse the site who is having limited knowledge on networking http://www.windowsnetworking.com/kbase/WindowsTips/ in the site u can get the tips regarding the registry and user tips also
Viruses with images: a long tradition of malicious symbiosis
One of the most common ruses used by the writers of computer viruses to spread their creations to as many computers as possible is the use of images. They are sometimes used to grab users' attention and get them to open the infected files. On other occasions, it is quite the opposite: they serve to distract users while the virus is carrying out other actions, such as sending out messages en masse or deleting files from the system. Sometimes images are used simply as a kind of signature, so that victims can see that the computer has been attacked by a specific malicious code.
There are actually relatively few viruses that use images, given the fact that the size of such files can prevent the malicious code from spreading easily. This at least is good news, because these types of threats are often highly effective at infecting computers.
A wide variety of images have been used by virus creators, although the tendency to use sexually explicit pictures is well established. Recent examples of malicious code that exploit images include Tasin.C, which downloads and runs an erotic image of a well-known Spanish celebrity or Mugly.A, a worm that displays a grotesque face on screen.
Throughout the history of computer viruses there have been many others that use this ploy. Monopoly displayed a picture of the board of this famous game, but with a photograph of Bill Gates in the logo. The Fly produced a picture of a set of teeth with a squashed fly embedded in them. Other classic examples include Cookie, which interrupts users' work by showing a famous child asking for a cookie and Ambulance.760.A, a virus that caused a picture of an ambulance to go back and forward across the screen.
As mentioned before, images have sometimes been used for ends other than ensuring that the malicious code spreads across the Internet and can be designed to hide the real payload of the virus. For this reason many of them are simply imitation system error messages or dialog boxes. Along these lines, there have even been viruses using imitation corporate web pages such as Gimared.A, or Gibe.C, which displayed an image of the Microsoft website.
Similarly, virus authors have often resorted to startling images, possibly in an attempt to get people to pass them on to others. One example is GhostGirl, which, as the name suggests, displays a ghostly image of a young girl.
In any event, all users should ensure they have a good antivirus installed and updated, in order to deal with any such malicious images before it is too late.
Computer virus
In computer security terminology, a virus is a piece of program code that, like a biological virus, makes copies of itself and spreads by attaching itself to a host, often damaging the host in the process. The host is another computer program, often a computer operating system, which then infects the applications that are transferred to other computers. The plural of virus is viruses, not virii, which is sometimes used incorrectly, both knowingly and otherwise. See plural of virus.
As with all code, viruses use the host's resources: memory and hard disk space, amongst others, and are sometimes deliberately destructive (erasing files / formatting hard disks) or allow others to access the machine without authorization across a network.
The term is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or trojans. Most popular anti-viral software packages defend against all of these types of attack.
There are a few relatively "harmless" viruses that have been written to perform a simple task (such as flashing a single message onto the user's computer screen). A small percentage of viruses are the result of computer code that operates in an unexpected manner, but the majority of viruses are programs deliberately written to interfere with, or damage, other programs or computer systems.
The term "virus" was first used in this sense in print by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E. was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and John Brunner's 1975 novel The Shockwave Rider describes programs known as "tapeworms" which spread through a network for the purpose of deleting data. The term "computer virus" with current usage also appears in the comic book "Uncanny X-Men" No. 158, published in 1982. Therefore, we may conclude that although Cohen's use of "virus" may, perhaps, have been the first "academic" use, it had been in the common parlance long before that.
A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.
Since the mid-1990s, viruses which infect operating systems or applications directly have been eclipsed by macro viruses. Written in the scripting languages for Microsoft programs such as Word and Outlook, these viruses spread in the Windows monoculture by infecting documents and sending infected e-mail. Although Windows is the most popular operating system for virus writers, viruses numbering in the single digits have been seen on Mac OS X. Some viruses also exist on other Unix based OSes. It is important to note that any operating system that allows third-party programs to run can theoretically run viruses. However, some operating systems are less secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.
Nature of viruses
While viruses can be (and often are) malicious, destroying data, many are fairly benign or merely annoying (for example, displaying a message to the user). Many such viruses have a delayed payload, playing a message on a specific holiday, day of the month, or time of day; or waiting for a certain number of infections or reboots, or randomly occurring with a small chance. The predominant destructive effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources. "Good" viruses have also appeared that spread improvements to the programs they infected, or delete other viruses. These are, however, quite rare, still consume system resources, and may accidentally damage systems they
Anatomy of viruses
Most viruses just consist of a finder and a replicator. The finder is responsible for finding new and yet uninfected files. For each new executable file the finder finds, it calls for the replicator to infect that file. The replicators task is to 1) open the new file 2) append the virus code to the executable file 3) save the executables starting point 4) change the executables starting point so that it points to the location where the newly copied virus code starts 5) save the old start of execution point to the virus in a way so that the virus branches to that location right after its execution. 6) save the changes to the executable file and 7) return to the finder so that it can find new files for the replicator to infect.
However, this only applies to quite simple viruses. Most viruses also contain some sort of bomb that goes off when a certain condition is met. A bomb is mostly located at the beginning of the virus, and it might for example try to erase all files on the computer at a certain date, like on any friday that happens to be at the 13th day in any month. In addition, some viruses also encrypt their code before injecting it to new executables to avoid detection from antivirus-software. Such viruses must, obviously, decrypt their code before running it. In order to do that, such viruses have a decryption engine at the very beginning of their body and an already encrypted encryption-engine somewhere in their replicator.
Mostly, the decryption for viruses is fairly simple and done by xoring each byte with a randomized key that was saved by the parent virus. Most often, the encryption- and decryption-engines are the same, but used with different keys for the xoring. See xor for more information about that.
However, while not being able to detect the actual virus code (because it is encrypted), antivirus-software can still detect the decryption-engine located in the front of the body of such viruses by comparing the byte pattern of the decryption-enginge. To avoid such detection, some state-of-the-art viruses mutate their decryption engines for each new copy of themselves. Such viruses are said to be polymorphic, and are much harder to detect. To enable polymorphic code, the virus has to have a mutating engine somewhere in its encrypted body.
Replication Strategies
A virus requires several features from its host software to successfully duplicate itself. It must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to useful programs, in the hope that users will run those programs (and therefore the virus). Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of personal computers, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.
As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSes. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses. Many personal computers are now connected to the Internet and to local-area networks. Today's viruses take advantage of standard network protocols such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms.
Hiding Strategies
In order to stay alive, some well written viruses employ different kinds of obfuscation. Some old viruses (especially in MS-DOS) alter the information attached to the files they infect, such as the "last modified" date and the recorded filesize. Antivirus software that just searches for recently edited files or files that have changed in size will not notice the virus's presence in this case. Note that changing the information stored about the size of the file is not the same thing as actually changing the size of the file under MS-DOS. This approach does not fool modern antivirus soft
As with all code, viruses use the host's resources: memory and hard disk space, amongst others, and are sometimes deliberately destructive (erasing files / formatting hard disks) or allow others to access the machine without authorization across a network.
The term is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or trojans. Most popular anti-viral software packages defend against all of these types of attack.
There are a few relatively "harmless" viruses that have been written to perform a simple task (such as flashing a single message onto the user's computer screen). A small percentage of viruses are the result of computer code that operates in an unexpected manner, but the majority of viruses are programs deliberately written to interfere with, or damage, other programs or computer systems.
The term "virus" was first used in this sense in print by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E. was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and John Brunner's 1975 novel The Shockwave Rider describes programs known as "tapeworms" which spread through a network for the purpose of deleting data. The term "computer virus" with current usage also appears in the comic book "Uncanny X-Men" No. 158, published in 1982. Therefore, we may conclude that although Cohen's use of "virus" may, perhaps, have been the first "academic" use, it had been in the common parlance long before that.
A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.
Since the mid-1990s, viruses which infect operating systems or applications directly have been eclipsed by macro viruses. Written in the scripting languages for Microsoft programs such as Word and Outlook, these viruses spread in the Windows monoculture by infecting documents and sending infected e-mail. Although Windows is the most popular operating system for virus writers, viruses numbering in the single digits have been seen on Mac OS X. Some viruses also exist on other Unix based OSes. It is important to note that any operating system that allows third-party programs to run can theoretically run viruses. However, some operating systems are less secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.
Nature of viruses
While viruses can be (and often are) malicious, destroying data, many are fairly benign or merely annoying (for example, displaying a message to the user). Many such viruses have a delayed payload, playing a message on a specific holiday, day of the month, or time of day; or waiting for a certain number of infections or reboots, or randomly occurring with a small chance. The predominant destructive effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources. "Good" viruses have also appeared that spread improvements to the programs they infected, or delete other viruses. These are, however, quite rare, still consume system resources, and may accidentally damage systems they
Anatomy of viruses
Most viruses just consist of a finder and a replicator. The finder is responsible for finding new and yet uninfected files. For each new executable file the finder finds, it calls for the replicator to infect that file. The replicators task is to 1) open the new file 2) append the virus code to the executable file 3) save the executables starting point 4) change the executables starting point so that it points to the location where the newly copied virus code starts 5) save the old start of execution point to the virus in a way so that the virus branches to that location right after its execution. 6) save the changes to the executable file and 7) return to the finder so that it can find new files for the replicator to infect.
However, this only applies to quite simple viruses. Most viruses also contain some sort of bomb that goes off when a certain condition is met. A bomb is mostly located at the beginning of the virus, and it might for example try to erase all files on the computer at a certain date, like on any friday that happens to be at the 13th day in any month. In addition, some viruses also encrypt their code before injecting it to new executables to avoid detection from antivirus-software. Such viruses must, obviously, decrypt their code before running it. In order to do that, such viruses have a decryption engine at the very beginning of their body and an already encrypted encryption-engine somewhere in their replicator.
Mostly, the decryption for viruses is fairly simple and done by xoring each byte with a randomized key that was saved by the parent virus. Most often, the encryption- and decryption-engines are the same, but used with different keys for the xoring. See xor for more information about that.
However, while not being able to detect the actual virus code (because it is encrypted), antivirus-software can still detect the decryption-engine located in the front of the body of such viruses by comparing the byte pattern of the decryption-enginge. To avoid such detection, some state-of-the-art viruses mutate their decryption engines for each new copy of themselves. Such viruses are said to be polymorphic, and are much harder to detect. To enable polymorphic code, the virus has to have a mutating engine somewhere in its encrypted body.
Replication Strategies
A virus requires several features from its host software to successfully duplicate itself. It must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to useful programs, in the hope that users will run those programs (and therefore the virus). Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of personal computers, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.
As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSes. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses. Many personal computers are now connected to the Internet and to local-area networks. Today's viruses take advantage of standard network protocols such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms.
Hiding Strategies
In order to stay alive, some well written viruses employ different kinds of obfuscation. Some old viruses (especially in MS-DOS) alter the information attached to the files they infect, such as the "last modified" date and the recorded filesize. Antivirus software that just searches for recently edited files or files that have changed in size will not notice the virus's presence in this case. Note that changing the information stored about the size of the file is not the same thing as actually changing the size of the file under MS-DOS. This approach does not fool modern antivirus soft
Another hiding technique, a method DOS-era viruses commonly used to spread, is to infect the hard disk drive instead of the files saved on it. At bootstrap the computer runs the code located in the boot sector, which has been replaced by virus-code. The virus loads itself from the hard disk into memory and makes itself memory resident, then loads the original bootsector into memory and transfers control to the code in it. This way, not even the operating system notices the presence of the virus.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. The stealth methods of modern viruses often try to exploit the failings of modern antivirus software in trying to detect viral presence. Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them. If they find a byte-pattern that corresponds to any specific virus-pattern, the antivirus software tries to remove, contain, or delete the virus/file.
The CIH virus, or Chernobyl Virus, infected Portable Executable files. Because those files had many empty gaps, the virus, which was 1 kilobyte in length, did not add to the size of the file.
Modern state-of-the-art viruses try to encrypt themselves in order to avoid being detected by an antivirus search. This is often done with a combination of encryption and self-modifying code. A virus that uses this technique is said to be polymorphic.
There are usually two different parts of the virus when we speak of polymorphic viruses: The encryption/decryption engine and the infector. The crypto engine encrypts/decrypts the infector. Each time the virus runs it uses a different cryptokey. The crypto engine cannot encrypt itself, because if it did, there would be no code to decrypt the engine next time the virus ran. Therefore, the crypto-engine has to use a form of self modifying code to modify itself differently each time it runs, without any part of the original algorithm getting lost. This is possible to do with a good knowledge of assembly language and the use of polymorphic code. ware.
Viruses and popular software
Another analogy to biological viruses is worth noting: just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.
This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office software. Users of Microsoft software (especially networking software such as Microsoft Outlook and Microsoft Internet Explorer) are particularly vulnerable to the spread of viruses.
Integrated applications, applications with scripting languages with access to the file system (eg: Visual Basic Script, or VBS, and applications with networking features) are also particularly vulnerable.
Viruses and software development
Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies which produce large numbers of bugs will generally also produce potential exploits.
Closed-source software development as practiced by Microsoft and other commercial software companies is also seen by some as a security weakness. Open source software such as Linux, for example, allows all users to find and fix security problems without relying on a single vendor. Some advocate that commercial software makers practice vulnerability disclosure to ameliorate this weakness.
Countermeasures
Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or mounts the executable. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type; some antivirus vendors also claim the effective use of other types of heuristic analysis. Some industry groups do not like this practice because it often increases the number of false positives the anti-virus software detects. They work by examining the contents of the computers memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus signatures. Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must therefore update their software regularly to patch security holes. Anti-virus software also needs to be updated in order to gain knowledge about the latest threats and hoaxes.
A well-patched and well-maintained Unix system is very well-secured against viruses. Windows has the same type of scripting ability as Unix-based systems, but doesn't natively block normal users from executing such scripts written by a third-party as Unix does for users who are not running as root. More recently, Microsoft's Outlook (but not Outlook Express) e-mail client has developed similar features when dealing with executable file types that Outlook may download as attachments. Ordinary users would do well to patch their operating systems and e-mail clients to prevent viruses and worms from reproducing through security "holes" which prudence (and most virus scanners) are unable to prevent
Computer worm
A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; a worm is self-contained and does not need to be part of another program to propagate itself.
The name 'worm' was taken from The Shockwave Rider, a 1970s science fiction novel by John Brunner. Researchers writing an early paper on experiments in distributed computing noted the similarities between their software and the program described by Brunner and adopted the name.
The first worm to attract wide attention, the Morris worm, was written by Robert Tappan Morris, Jr. at the MIT Artificial intelligence Laboratory. It was released on November 2, 1988, and quickly infected a great many computers on the Internet at the time. It propagated through a number of bugs in BSD Unix and its derivatives. Morris himself was convicted under the US Computer Crime and Abuse Act and received 3 years' probation, community service and a fine in excess of $10,000.
In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system or send documents via email. More recent worms may be multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can wreak havoc just with the network traffic generated by its reproduction. Mydoom, for example, caused a noticeable worldwide Internet slowdown at the peak of its spread.
A common payload is for a worm to install a backdoor in the infected computer, as was done by Sobig and Mydoom. These zombie computers are used by spam senders for sending junk email or to cloak their website's address.[1] Spammers are thought to pay for the creation of such worms [2] [3], and worm writers have been caught selling lists of IP addresses of infected machines.[4] Others try to blackmail companies with threatened DDOS attacks.[5] The backdoors can also be exploited by other worms, such as Doomjuice, which spreads using the backdoor opened by Mydoom.
Whether worms can be useful is a common theoretical question in computer science and artificial intelligence. The Nachi family of worms, for example, tried to download then install patches from Microsoft's website to fix various vulnerabilities in the host system (the same vulnerabilities that they exploited). This eventually made the systems affected more secure, but generated considerable network traffic, rebooted the machine in the course of patching it, and, maybe most importantly, did its work without the explicit consent of the computer's owner or user. As such, most security experts deprecate worms, whatever their payload.
The name 'worm' was taken from The Shockwave Rider, a 1970s science fiction novel by John Brunner. Researchers writing an early paper on experiments in distributed computing noted the similarities between their software and the program described by Brunner and adopted the name.
The first worm to attract wide attention, the Morris worm, was written by Robert Tappan Morris, Jr. at the MIT Artificial intelligence Laboratory. It was released on November 2, 1988, and quickly infected a great many computers on the Internet at the time. It propagated through a number of bugs in BSD Unix and its derivatives. Morris himself was convicted under the US Computer Crime and Abuse Act and received 3 years' probation, community service and a fine in excess of $10,000.
In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system or send documents via email. More recent worms may be multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can wreak havoc just with the network traffic generated by its reproduction. Mydoom, for example, caused a noticeable worldwide Internet slowdown at the peak of its spread.
A common payload is for a worm to install a backdoor in the infected computer, as was done by Sobig and Mydoom. These zombie computers are used by spam senders for sending junk email or to cloak their website's address.[1] Spammers are thought to pay for the creation of such worms [2] [3], and worm writers have been caught selling lists of IP addresses of infected machines.[4] Others try to blackmail companies with threatened DDOS attacks.[5] The backdoors can also be exploited by other worms, such as Doomjuice, which spreads using the backdoor opened by Mydoom.
Whether worms can be useful is a common theoretical question in computer science and artificial intelligence. The Nachi family of worms, for example, tried to download then install patches from Microsoft's website to fix various vulnerabilities in the host system (the same vulnerabilities that they exploited). This eventually made the systems affected more secure, but generated considerable network traffic, rebooted the machine in the course of patching it, and, maybe most importantly, did its work without the explicit consent of the computer's owner or user. As such, most security experts deprecate worms, whatever their payload.
Trojan horse
In the computer world, a Trojan horse is a malicious computer program which pretends to have some innocent purpose but, when run, has an entirely different effect - one which the programmer (or the packager, distributor, or advertiser) intended and the user didn't expect. The term is derived from the classical myth of the Trojan Horse. A Trojan horse differs from a virus in that it is a stand-alone program; the Trojan does not attach to another program. It differs from a worm in that it does not move from one computer to another on its own. A person must transfer it intentionally, such as by email or by posting it to a download area.
A simple example of a Trojan horse is a program named "SEXY.EXE" that is posted with a promise of "hot pix"; but, when run, it erases all the files it can find and displays the message "arf, arf, I got you!".
On the Microsoft Windows platform, an attacker might attach a Trojan with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan itself is typically a Windows executable program file, usually with a filename extension such as .exe, .scr, .bat, or .pif to let Windows know that it can be executed. Since Windows is configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe' so that the user only sees 'Readme.txt' and thinks it is a harmless text file. When the recipient double-clicks on the attachment, the Trojan might really do what the user expects it to do (like, opening a text file), so as to keep him unaware of its true intentions; meanwhile, however, it secretly modifies or deletes files, changes the configuration of his computer, or even uses his computer as a base from which to attack his or other networks. For example, trojans are often used to set up networks of zombie computers from which DDoS attacks can be launched, or which can be used to send spam.
Some Trojans do not infect other programs and are usually easily deleted, but others are much more dangerous. The MyDoom epidemic in early 2004 was spread by using Trojan-horse attachments in email with a terse message saying that the attachment could not be delivered, making users curious to open it and see what it was. (MyDoom is technically a worm, since it spreads itself to other computers by sending infected email attachments, but it depends on users double-clicking on the attachments to actually infect their computers.)
An early Trojan horse was the 1975 ANIMAL program, a game to identify an animal but which also spread itself to other users on UNIVAC Exec 8 computers
A simple example of a Trojan horse is a program named "SEXY.EXE" that is posted with a promise of "hot pix"; but, when run, it erases all the files it can find and displays the message "arf, arf, I got you!".
On the Microsoft Windows platform, an attacker might attach a Trojan with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan itself is typically a Windows executable program file, usually with a filename extension such as .exe, .scr, .bat, or .pif to let Windows know that it can be executed. Since Windows is configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe' so that the user only sees 'Readme.txt' and thinks it is a harmless text file. When the recipient double-clicks on the attachment, the Trojan might really do what the user expects it to do (like, opening a text file), so as to keep him unaware of its true intentions; meanwhile, however, it secretly modifies or deletes files, changes the configuration of his computer, or even uses his computer as a base from which to attack his or other networks. For example, trojans are often used to set up networks of zombie computers from which DDoS attacks can be launched, or which can be used to send spam.
Some Trojans do not infect other programs and are usually easily deleted, but others are much more dangerous. The MyDoom epidemic in early 2004 was spread by using Trojan-horse attachments in email with a terse message saying that the attachment could not be delivered, making users curious to open it and see what it was. (MyDoom is technically a worm, since it spreads itself to other computers by sending infected email attachments, but it depends on users double-clicking on the attachments to actually infect their computers.)
An early Trojan horse was the 1975 ANIMAL program, a game to identify an animal but which also spread itself to other users on UNIVAC Exec 8 computers
How does anti-virus software work?
An anti-virus software program is a computer program that can be used to scan files to identify and eliminate computer virusess and other malicious software (malware).
Anti-virus software typically uses two different techniques to accomplish this:
1)Examining files to look for known viruses by means of a virus dictionary
2)Identifying suspicious behavior from any computer program which might indicate infection
Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.
Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.
Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti virus software uses this technique less and less.
Other ways to detect viruses
Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.
Issues of concern
Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc.
User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-virus software. Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
Anti-virus software typically uses two different techniques to accomplish this:
1)Examining files to look for known viruses by means of a virus dictionary
2)Identifying suspicious behavior from any computer program which might indicate infection
Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.
Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.
Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti virus software uses this technique less and less.
Other ways to detect viruses
Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.
Issues of concern
Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc.
User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-virus software. Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
How to safely download files from the Internet
One of the principal daily uses of the Internet is for downloading files. The nature of these can vary: applications, audio files, video, text documents... This is a common practice, however, it has serious implications in terms of Internet threats.
The biggest risk when carrying out a download from the Internet is that the file in question can contain a computer virus. This becomes even more serious in the case of downloads from P2P (Peer-to-Peer) applications, given that there are a large number of viruses disguised under attractive names for the users. In this way, if they are downloaded and executed the system will become infected. In any case, it does not matter in which way the file is downloaded. Even if the download is an HTTP download, or through the P2P networks or from an FTP server, the risk of downloading infected files is very high.
As such, even if the download of a file went smoothly and the user used their new program without any problem, the equipment can have been infected with some kind of malicious code. This could be anything from Trojans designed to steal data or create backdoors in the computers, to spyware
It should be taken into account that the inclusion in a file of a Trojan that creates a backdoor in the equipment is very advantageous for the hacker in question, who can even know from which IP the download has been made in order to connect directly to it.
How to download files from the Internet safely The first basic rule for downloading files in safely from the Internet is to be cautious. An enormous variety of 'underground' pages exist that offer browsers the possibility of downloading interesting applications. However, this is at best a dubious source and many of these downloads could be infected by a virus. The best idea is therefore to avoid any kind of download from these kinds of pages.
Likewise, you should pay attention to the size of the downloaded files, above all from P2P networks. Very often, files that are actually camouflaged viruses, are very small, and therefore do not correspond in any way with the file that has apparently been downloaded.
In any case, the safest choice is to rely on well-known, quality antivirus software updated at least once a day. Only in this way can you be sure that downloads from the Internet do not represent a threat to your computer.
The biggest risk when carrying out a download from the Internet is that the file in question can contain a computer virus. This becomes even more serious in the case of downloads from P2P (Peer-to-Peer) applications, given that there are a large number of viruses disguised under attractive names for the users. In this way, if they are downloaded and executed the system will become infected. In any case, it does not matter in which way the file is downloaded. Even if the download is an HTTP download, or through the P2P networks or from an FTP server, the risk of downloading infected files is very high.
As such, even if the download of a file went smoothly and the user used their new program without any problem, the equipment can have been infected with some kind of malicious code. This could be anything from Trojans designed to steal data or create backdoors in the computers, to spyware
It should be taken into account that the inclusion in a file of a Trojan that creates a backdoor in the equipment is very advantageous for the hacker in question, who can even know from which IP the download has been made in order to connect directly to it.
How to download files from the Internet safely The first basic rule for downloading files in safely from the Internet is to be cautious. An enormous variety of 'underground' pages exist that offer browsers the possibility of downloading interesting applications. However, this is at best a dubious source and many of these downloads could be infected by a virus. The best idea is therefore to avoid any kind of download from these kinds of pages.
Likewise, you should pay attention to the size of the downloaded files, above all from P2P networks. Very often, files that are actually camouflaged viruses, are very small, and therefore do not correspond in any way with the file that has apparently been downloaded.
In any case, the safest choice is to rely on well-known, quality antivirus software updated at least once a day. Only in this way can you be sure that downloads from the Internet do not represent a threat to your computer.
Virus Tips
Dont assume anything. Make some time to learn about securing your system.
Acquire and use a reliable antivirus program. Select an antivirus that has a consistent track record. Checkmark, AV-Test.org and TuV are among the most respected independent testers of antivirus software.
Acquire and use a reliable firewall solution. Again, independent reviewers are your best bet for reasonable choices. Some operating systems come with a firewall which only filters incoming traffic. Use a firewall that can control both incoming and outgoing Internet traffic.
Do not open e-mails coming from unknown or distrusted sources. Many viruses spread via e-mail messages so please ask for a confirmation from the sender if you are in any doubt.
Do not open the attachments of messages with a suspicious or unexpected subject. If you want to open them, first save them to your hard disk and scan them with an updated antivirus program.
Delete any chain e-mails or unwanted messages. Do not forward them or reply to their senders. This kind of messages is considered spam, because it is undesired and unsolicited and it overloads the Internet traffic.
Avoid installing services and applications which are not needed in day-by-day operations in a desktop role, such as file transfer and file sharing servers, remote desktop servers and the like. Such programs are potential hazards, and should not be installed if not absolutely necessary.
Update your system and applications as often as possible. Some operating systems and applications can be set to update automatically. Make full use of this facility. Failure to patch your system often enough may leave it vulnerable to threats for which fixes already exist.
Do not copy any file if you don't know or don't trust its source. Check the source (provenance) of files you download and make sure that an antivirus program has already verified the files at their source.
Make backups of important personal files (correspondence, documents, pictures and such) on a regular basis. Store these copies on removable media such as CD or DVD. Keep your archive in a different location than the one your computer is in.
Acquire and use a reliable antivirus program. Select an antivirus that has a consistent track record. Checkmark, AV-Test.org and TuV are among the most respected independent testers of antivirus software.
Acquire and use a reliable firewall solution. Again, independent reviewers are your best bet for reasonable choices. Some operating systems come with a firewall which only filters incoming traffic. Use a firewall that can control both incoming and outgoing Internet traffic.
Do not open e-mails coming from unknown or distrusted sources. Many viruses spread via e-mail messages so please ask for a confirmation from the sender if you are in any doubt.
Do not open the attachments of messages with a suspicious or unexpected subject. If you want to open them, first save them to your hard disk and scan them with an updated antivirus program.
Delete any chain e-mails or unwanted messages. Do not forward them or reply to their senders. This kind of messages is considered spam, because it is undesired and unsolicited and it overloads the Internet traffic.
Avoid installing services and applications which are not needed in day-by-day operations in a desktop role, such as file transfer and file sharing servers, remote desktop servers and the like. Such programs are potential hazards, and should not be installed if not absolutely necessary.
Update your system and applications as often as possible. Some operating systems and applications can be set to update automatically. Make full use of this facility. Failure to patch your system often enough may leave it vulnerable to threats for which fixes already exist.
Do not copy any file if you don't know or don't trust its source. Check the source (provenance) of files you download and make sure that an antivirus program has already verified the files at their source.
Make backups of important personal files (correspondence, documents, pictures and such) on a regular basis. Store these copies on removable media such as CD or DVD. Keep your archive in a different location than the one your computer is in.
What's Spam
The term malware can be defined as 'any programs, documents or messages that can have detrimental effects on computers'. Viruses, therefore, are only a small part of an ever-expanding group, which covers all types of IT security threats, including spam, dialers and spyware, and whose effects can be just as damaging as any virus attack.
One of the biggest dangers on the Internet today is spam or unsolicited commercial mail, as it can cause damage at many different levels.
The term 'spam' is said to have originated from a Monty Python sketch. The sketch takes place in a restaurant where all the dishes on the menu include the canned luncheon meat SPAM. When the waitress reads out the menu a group of Vikings sing a chorus of "spam, spam, spam..." louder and louder, drowning out other conversation. The term probably started to be used to describe unsolicited commercial mail because it drowns out legitimate mail.
The financial damage caused by this type of malware can be calculated in terms of the number of working hours lost around the world every day by users having to delete these messages, without even reading them. Take a network with five hundred workstations as an example, if each workstation receives ten spam messages every day and ten minutes is spent deleting these messages, it is easy to calculate how many working hours are lost a year dealing with spam. What's more, if the subject is attractive enough to entice the user into reading it or connecting to an Internet address specified in the text, the number of working hours lost significantly increases.
However, spam also entails other dangers. For example, although it is not very common, it could carry viruses or other malicious code, or contain links to web pages that are designed to download software to the computer without the user realizing. This is probably the method that Sobig.F used to become 'the fastest-spreading virus in computer history'.
Avoid Email Harvestors
Here is a nice Java Script you can use to hide your email addresses listed on your web pages.
The script in action: name@yahoo.com
To use: change the information that we have italicized, underlined & is in bold print
NEVER use your "real" email address when posting to newsgroups, classified sites, FFA etc. That is where spammers get your email address. Use "throw away" email accounts. Such as:
Hotmail,Yahoo,Bigfoot,Angelfire
One of the biggest dangers on the Internet today is spam or unsolicited commercial mail, as it can cause damage at many different levels.
The term 'spam' is said to have originated from a Monty Python sketch. The sketch takes place in a restaurant where all the dishes on the menu include the canned luncheon meat SPAM. When the waitress reads out the menu a group of Vikings sing a chorus of "spam, spam, spam..." louder and louder, drowning out other conversation. The term probably started to be used to describe unsolicited commercial mail because it drowns out legitimate mail.
The financial damage caused by this type of malware can be calculated in terms of the number of working hours lost around the world every day by users having to delete these messages, without even reading them. Take a network with five hundred workstations as an example, if each workstation receives ten spam messages every day and ten minutes is spent deleting these messages, it is easy to calculate how many working hours are lost a year dealing with spam. What's more, if the subject is attractive enough to entice the user into reading it or connecting to an Internet address specified in the text, the number of working hours lost significantly increases.
However, spam also entails other dangers. For example, although it is not very common, it could carry viruses or other malicious code, or contain links to web pages that are designed to download software to the computer without the user realizing. This is probably the method that Sobig.F used to become 'the fastest-spreading virus in computer history'.
Avoid Email Harvestors
Here is a nice Java Script you can use to hide your email addresses listed on your web pages.
The script in action: name@yahoo.com
To use: change the information that we have italicized, underlined & is in bold print
NEVER use your "real" email address when posting to newsgroups, classified sites, FFA etc. That is where spammers get your email address. Use "throw away" email accounts. Such as:
Hotmail,Yahoo,Bigfoot,Angelfire
Subscribe to:
Comments (Atom)