Monday, August 15, 2011
BEST ANTIVIRUS IN INDIA: Safe Internet browsing
BEST ANTIVIRUS IN INDIA: Safe Internet browsing: "Users in all corners of the globe browse the Internet everyday. However, in spite of appearances, it is not free from dangerous threats. B..."
Sunday, August 14, 2011
What is a rootkit?
Rootkits are a malware inventor's dream: they are created to allow worms, bots, and other malevolent software to hide in plain sight. Rootkits are designed to hide themselves from detection by users and security programs, so they don't show up in Windows Explorer, the running processes don't display in the Task Manager, and many antivirus programs can't find rootkit-hidden malware.
A rootkit is a special program that buries itself deep into an operating system (like Microsoft Windows) for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and it can be used to create a hidden directory or folder designed to keep it out of view from a user's operating system and security software.
Attackers can then use the rootkit to hide their malicious software, which can range from spyware to keylogger software that can steal sensitive information from users' computers. Rootkits can allow criminals to remotely monitor, record, modify, steal and transfer any information entered or stored on a user’s computer, disabling some PC firewalls and evading some traditional security products at will.
Rootkits often bury themselves via other computer infections and then modify the operating system of the infected PC. They are often almost undetectable and extremely difficult to remove. Detecting a rootkit on a Windows PC is not unlike shining a flashlight at objects in a darkened room, and then trying to identify each object by the shadow it casts on the wall.
Rootkits are rapidly becoming more prevalent, more virulent and more sophisticated, security experts warn. The complexity in rootkits is growing at a phenomenal rate, allowing malicious software to bury deep and potentially go undetected inside Microsoft's Windows platform. Rootkits have grown over the past five years from 27 components to 2,400, according to a report from April 2007.
This means that there are more ways attackers can use these components to hide their malware and it means that the use of rootkits is increasing. One security company recorded a 62 percent annual increase in rootkit activity in 2006 and predicted an increase of around 40 percent 2007. Another security company that surveyed 291,000 users in October 2007 warned that increasing numbers of PC users are falling victim to rootkit infections.
A rootkit is a special program that buries itself deep into an operating system (like Microsoft Windows) for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and it can be used to create a hidden directory or folder designed to keep it out of view from a user's operating system and security software.
Attackers can then use the rootkit to hide their malicious software, which can range from spyware to keylogger software that can steal sensitive information from users' computers. Rootkits can allow criminals to remotely monitor, record, modify, steal and transfer any information entered or stored on a user’s computer, disabling some PC firewalls and evading some traditional security products at will.
Rootkits often bury themselves via other computer infections and then modify the operating system of the infected PC. They are often almost undetectable and extremely difficult to remove. Detecting a rootkit on a Windows PC is not unlike shining a flashlight at objects in a darkened room, and then trying to identify each object by the shadow it casts on the wall.
Rootkits are rapidly becoming more prevalent, more virulent and more sophisticated, security experts warn. The complexity in rootkits is growing at a phenomenal rate, allowing malicious software to bury deep and potentially go undetected inside Microsoft's Windows platform. Rootkits have grown over the past five years from 27 components to 2,400, according to a report from April 2007.
This means that there are more ways attackers can use these components to hide their malware and it means that the use of rootkits is increasing. One security company recorded a 62 percent annual increase in rootkit activity in 2006 and predicted an increase of around 40 percent 2007. Another security company that surveyed 291,000 users in October 2007 warned that increasing numbers of PC users are falling victim to rootkit infections.
What is a firewall?
A firewall is a hardware or software device configured to permit or deny data through a computer network in order to protect the resources of a private network from users from other networks. For example, an enterprise with an intranet that allows its workers access to the wider Internet would install a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.
In the same way, computer users install personal firewalls (usually software) to protect their computers from the threats of the Internet. The program simply sits between your computer and the Internet and its job is to filter incoming and outbound traffic. That way it can deny intruders or malware access to your computer and it can also detect unwanted outbound traffic. For instance, in order to guard against spyware which could be sending your surfing habits to a Web site.
Basically, a firewall examines all data trying to pass it to determine whether to forward it to its destination. This is done according to a set of rules set by the user, establishing which sorts of traffic to be allowed and which traffic not. The term "firewall" of course originated from firefighting, where firewalls are barriers established to prevent the spread of fire.
An up to date firewall is really one of the most basic must-have elements of computer protection and that became clear, when the Love Bug, MyDoom, Slammer, and Sasser worms swept across the globe in the first years of this millennium causing millions of dollars of damage. As a response ordinary computer users started installing firewalls and anti-virus products galore and the next generations of worms have pretty much been stopped dead in their tracks before they could start spreading to a serious degree.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.
In the same way, computer users install personal firewalls (usually software) to protect their computers from the threats of the Internet. The program simply sits between your computer and the Internet and its job is to filter incoming and outbound traffic. That way it can deny intruders or malware access to your computer and it can also detect unwanted outbound traffic. For instance, in order to guard against spyware which could be sending your surfing habits to a Web site.
Basically, a firewall examines all data trying to pass it to determine whether to forward it to its destination. This is done according to a set of rules set by the user, establishing which sorts of traffic to be allowed and which traffic not. The term "firewall" of course originated from firefighting, where firewalls are barriers established to prevent the spread of fire.
An up to date firewall is really one of the most basic must-have elements of computer protection and that became clear, when the Love Bug, MyDoom, Slammer, and Sasser worms swept across the globe in the first years of this millennium causing millions of dollars of damage. As a response ordinary computer users started installing firewalls and anti-virus products galore and the next generations of worms have pretty much been stopped dead in their tracks before they could start spreading to a serious degree.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.
What is a keylogger?
According to experts, keystroke loggers pose more risk to PC users than any other tool used for committing cybercrime. Also known as keyloggers, they are small programs or hardware devices that monitor each keystroke you type on a specific computer's keyboard, including typos, backspacing and retyping.
Recording your every move on the Web
Although keyloggers are promoted for benign purposes like allowing parents to monitor their children's whereabouts on the Internet, they can be used to spy on anyone. They are used by cybercriminals to covertly watch and record everything you type on your PC in order to harvest your log-in names, passwords, and other sensitive information, and send it on to the hackers. This may include any passwords you have asked your computer to remember for you to speed up logging in, as these are held as cookies on your machine.
Unfortunately for consumers, keyloggers are becoming very sophisticated. Once on a PC, they can track websites visited by the user and only log the keystrokes entered on the websites that are of particular interest to the cybercriminal; for example online banking websites.
Therefore, keyloggers are an increasingly popular tool among identity thieves and most financial cybercrime is committed using them, as these programs are the most comprehensive and reliable tool for tracking electronic information. One security company detected just 275 keyloggers in 2001, while the number had reached 6,200 in 2005. Another security company recorded more than a 500 percent increase between January 2003 and July 2006.
Identity theft in all its various guises is one of the fastest growing crimes, with keylogging Trojan software often forming the weapon of choice for would-be fraudsters. According to figures from American consumer watchdog the Federal Trade Commission, almost ten million Americans discovered they were the victims of identity theft during 2003, with total losses approaching $50 billion. The research shows that the number of victims has risen by 50 percent since 2003 and the financial loss per consumer has more than doubled from $1,408 in 2005 to $3,257 in 2006.
In 2007, keylogging software found its way onto hundreds of PCs belonging to account holders at the large Swedish bank Nordea. In the biggest heist of customer accounts on record more than $1 million was stolen. Also in 2007, the users of an American retirement savings and investment plan for federal employees were targeted by keyloggers, with cybercriminals taking off with about $35,000 from two dozen user accounts.
In 2005, a businessman from Florida filed a lawsuit against the Bank of America after unknown hackers stole $90,000 from his account and transferred the money to Latvia. An investigation showed that his computer was infected with a malicious program that recorded every keystroke and this was how the hackers got hold of his user name and password. The court did not rule in favor of the plaintiff, saying that he had neglected to take basic precautions when managing his bank account on the Internet: a signature for the malicious code that was found on his system had been added to nearly all antivirus product databases back in 2003.
Your PC can become infected with keyloggers in various ways. They can be inadvertently downloaded from an infected Web site, email attachment, or by clicking on links. Often cyberthieves are using Trojan-horse software to load keylogging software onto unsuspecting victims' computers.
Recommended methods to protect against keyloggers include keeping all your programs up-to-date – antivirus and firewall software as well as Windows, Office and other applications – recognising phishing emails, and avoiding the temptation of clicking links in email that point to potentially dodgy sites hosting malware.
Recording your every move on the Web
Although keyloggers are promoted for benign purposes like allowing parents to monitor their children's whereabouts on the Internet, they can be used to spy on anyone. They are used by cybercriminals to covertly watch and record everything you type on your PC in order to harvest your log-in names, passwords, and other sensitive information, and send it on to the hackers. This may include any passwords you have asked your computer to remember for you to speed up logging in, as these are held as cookies on your machine.
Unfortunately for consumers, keyloggers are becoming very sophisticated. Once on a PC, they can track websites visited by the user and only log the keystrokes entered on the websites that are of particular interest to the cybercriminal; for example online banking websites.
Therefore, keyloggers are an increasingly popular tool among identity thieves and most financial cybercrime is committed using them, as these programs are the most comprehensive and reliable tool for tracking electronic information. One security company detected just 275 keyloggers in 2001, while the number had reached 6,200 in 2005. Another security company recorded more than a 500 percent increase between January 2003 and July 2006.
Identity theft in all its various guises is one of the fastest growing crimes, with keylogging Trojan software often forming the weapon of choice for would-be fraudsters. According to figures from American consumer watchdog the Federal Trade Commission, almost ten million Americans discovered they were the victims of identity theft during 2003, with total losses approaching $50 billion. The research shows that the number of victims has risen by 50 percent since 2003 and the financial loss per consumer has more than doubled from $1,408 in 2005 to $3,257 in 2006.
In 2007, keylogging software found its way onto hundreds of PCs belonging to account holders at the large Swedish bank Nordea. In the biggest heist of customer accounts on record more than $1 million was stolen. Also in 2007, the users of an American retirement savings and investment plan for federal employees were targeted by keyloggers, with cybercriminals taking off with about $35,000 from two dozen user accounts.
In 2005, a businessman from Florida filed a lawsuit against the Bank of America after unknown hackers stole $90,000 from his account and transferred the money to Latvia. An investigation showed that his computer was infected with a malicious program that recorded every keystroke and this was how the hackers got hold of his user name and password. The court did not rule in favor of the plaintiff, saying that he had neglected to take basic precautions when managing his bank account on the Internet: a signature for the malicious code that was found on his system had been added to nearly all antivirus product databases back in 2003.
Your PC can become infected with keyloggers in various ways. They can be inadvertently downloaded from an infected Web site, email attachment, or by clicking on links. Often cyberthieves are using Trojan-horse software to load keylogging software onto unsuspecting victims' computers.
Recommended methods to protect against keyloggers include keeping all your programs up-to-date – antivirus and firewall software as well as Windows, Office and other applications – recognising phishing emails, and avoiding the temptation of clicking links in email that point to potentially dodgy sites hosting malware.
List Of Antivirus Softwares
Safe Internet browsing
Users in all corners of the globe browse the Internet everyday. However, in spite of appearances, it is not free from dangerous threats. Bear in mind that visiting a web page is not a passive activity, but both the computer establishing the connection and the web server that hosts the data to be consulted need to communicate and to do this they must transfer data. This data transfer is not direct and must pass through several computers, meaning that the information can be intercept by any of them. Even though secure servers, which encrypt the data to be transferred, are available, the majority of web pages do not implement this security measure.
One of the dangers faced by users when they browse the Internet is a hacker accessing their cookies, small text files saved on the users computers by the server of the page the user is visiting. The information cookies contain is usually related to the page being visited, which can include user names and passwords, browsing preferences, etc.
Java Applets and JavaScripts can also put users at risk. Although the majority of these programs that are run on the user's computer at the request of the server are harmless, they can be designed to steal system information and send it to a malicious user.
Another threat that is becoming one of the most dangerous threats on the Internet is phishing. This technique involves tricking users into thinking that are visiting a legitimate web page, when they are actually visiting a malicious page. This technique is particularly dangerous when the malicious page simulates an online banking page. Web pages that perfectly imitate the appearance and functions of well-known banking entities are becoming increasingly common-place on the Internet and entice users into entering personal data that will fall directly in the hands of unscrupulous cyber criminals.
But that's not all, there are also viruses that are capable of getting into computers when users browse the Internet. To do this, they usually exploit vulnerabilities that allow them to install themselves on computers without the user realizing. The malicious code that have the capacity to do this include many Trojans designed to steal confidential information from affected computers.
Tips for safe browsing
One of the dangers faced by users when they browse the Internet is a hacker accessing their cookies, small text files saved on the users computers by the server of the page the user is visiting. The information cookies contain is usually related to the page being visited, which can include user names and passwords, browsing preferences, etc.
Java Applets and JavaScripts can also put users at risk. Although the majority of these programs that are run on the user's computer at the request of the server are harmless, they can be designed to steal system information and send it to a malicious user.
Another threat that is becoming one of the most dangerous threats on the Internet is phishing. This technique involves tricking users into thinking that are visiting a legitimate web page, when they are actually visiting a malicious page. This technique is particularly dangerous when the malicious page simulates an online banking page. Web pages that perfectly imitate the appearance and functions of well-known banking entities are becoming increasingly common-place on the Internet and entice users into entering personal data that will fall directly in the hands of unscrupulous cyber criminals.
But that's not all, there are also viruses that are capable of getting into computers when users browse the Internet. To do this, they usually exploit vulnerabilities that allow them to install themselves on computers without the user realizing. The malicious code that have the capacity to do this include many Trojans designed to steal confidential information from affected computers.
Tips for safe browsing
- When making transactions on the Internet, check that the process is carried out through a secure server. Several characteristics identify these types of servers. One of these is the address that appears in the address bar in the browser, which starts with https://. What's more, a padlock or key icon will appear in the browser window. If the padlock is closed or the key is complete (not broken), the server is secure.
- Another recommendable measure is to disable the cookies from the toolbar in the browser you are using. Although they must be enabled in order to access some web pages, they can be enabled temporarily. Even though it may be tiresome enabling and disabling the cookies, it can prevent a lot of serious problems.
- To avoid falling victim to phishing scams, make sure that the page you are visiting is legitimate. To do this, copy the URL of the web site you want to visit and paste it in the address bar of the browser.
- It is also advisable to identify and monitor the Java Applets and JavaScripts on the system to avoid any nasty surprises.
- Raise the security zone in the browser to 'medium' or 'high'. This can be done from the toolbar in the browser you are using.
- Finally, make sure that you have a reliable antivirus installed, which is updated at least once a day. This will prevent malicious code from slipping into your computer while you are browsing the Internet.
How a virus works
The word virus is often being used as a common term for all malicious programs, but technically a virus is a program or code that attaches itself to a legitimate, executable piece of software, and then reproduces itself when that program is run. Viruses spread by reproducing and inserting themselves into programs, documents, or email attachments. They can be transmitted through emails or downloaded files and they can be present on CDs, DVDs, USB-drives and any other sort of digital media.
A virus normally requires action to successfully infect a victim. For instance - the malicious programs inside email attachments usually only strike if the recipient opens them. The effect of a virus can be anything from a simple prank that pops up messages to the complete destruction of programs and data.
In recent years viruses have been on the decrease. In January 2007, one in 119.9 e-mails, or 0.83 percent, were infected with viruses, while more than 20 percent of emails at times contained viruses five years earlier. The difference is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. Also, there has been big increase in spam emails that contains links to download viruses.
The computer virus turned 25 in 2007. Long-suffering computer users would be forgiven for thinking that the first computer virus appeared in the mid-1980s, but the first virus actually predates the first IBM-compatible PC. Elk Cloner, which spread between Apple II computers via infected floppy disks, was released July 1982 and it was the first computer virus to spread in the wild.
Viruses had their heyday around the year 2000, with the Y2K scare. In 1999, the Melissa virus caught antivirus companies flat-footed and propagated rapidly. It was the first real outbreak of many of its kind that spread using Microsoft's Word and Outlook. A year later, the 'I Love You' virus caught the world by surprise. Lloyds of London estimated that the virus cost the global economy $10bn, making it the most expensive piece of malicious software to be unleashed to date. It was also the first time a computer virus became the day's top story for newspapers and television stations, marking a shift to mainstream awareness of computer viruses.
Nowadays, also mobile operators are starting to feel the pinch from viruses resulting from the increasing use of emails and Internet browsing on cellphones. Attacks on cellphones rose five times in 2006, with clients of 83 percent of mobile operators around the world having been hit, an industry study showed.
But mobile viruses are around 20 years behind those plaguing PCs, which translates into more than 300 virus variants targeting mobiles and smartphones, but around 400,000 such threats targeting PCs. In June 2004, a security company released details of a piece of mobile-phone malware that used Bluetooth to try to spread to other Symbian Series 60-based mobiles. That is believed to be the first case of a self-replicating mobile-phone virus and since then there has been a consistent increase in mobile viruses.
Source: http://www.bullguard.com
A virus normally requires action to successfully infect a victim. For instance - the malicious programs inside email attachments usually only strike if the recipient opens them. The effect of a virus can be anything from a simple prank that pops up messages to the complete destruction of programs and data.
In recent years viruses have been on the decrease. In January 2007, one in 119.9 e-mails, or 0.83 percent, were infected with viruses, while more than 20 percent of emails at times contained viruses five years earlier. The difference is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. Also, there has been big increase in spam emails that contains links to download viruses.
The computer virus turned 25 in 2007. Long-suffering computer users would be forgiven for thinking that the first computer virus appeared in the mid-1980s, but the first virus actually predates the first IBM-compatible PC. Elk Cloner, which spread between Apple II computers via infected floppy disks, was released July 1982 and it was the first computer virus to spread in the wild.
Viruses had their heyday around the year 2000, with the Y2K scare. In 1999, the Melissa virus caught antivirus companies flat-footed and propagated rapidly. It was the first real outbreak of many of its kind that spread using Microsoft's Word and Outlook. A year later, the 'I Love You' virus caught the world by surprise. Lloyds of London estimated that the virus cost the global economy $10bn, making it the most expensive piece of malicious software to be unleashed to date. It was also the first time a computer virus became the day's top story for newspapers and television stations, marking a shift to mainstream awareness of computer viruses.
Nowadays, also mobile operators are starting to feel the pinch from viruses resulting from the increasing use of emails and Internet browsing on cellphones. Attacks on cellphones rose five times in 2006, with clients of 83 percent of mobile operators around the world having been hit, an industry study showed.
But mobile viruses are around 20 years behind those plaguing PCs, which translates into more than 300 virus variants targeting mobiles and smartphones, but around 400,000 such threats targeting PCs. In June 2004, a security company released details of a piece of mobile-phone malware that used Bluetooth to try to spread to other Symbian Series 60-based mobiles. That is believed to be the first case of a self-replicating mobile-phone virus and since then there has been a consistent increase in mobile viruses.
Source: http://www.bullguard.com
History of computer viruses
Like any other field in computer science, viruses have evolved -a great deal indeed- over the years. In the series of press releases which start today, we will look at the origins and evolution of malicious code since it first appeared up to the present.
Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann described self-replicating programs which could resemble computer viruses as they are known today. However, it was not until the 60s that we find the predecessor of current viruses. In that decade, a group of programmers developed a game called Core Wars, which could reproduce every time it was run, and even saturate the memory of other players' computers. The creators of this peculiar game also created the first antivirus, an application named Reeper, which could destroy copies created by Core Wars.
However, it was only in 1983 that one of these programmers announced the existence of Core Wars, which was described the following year in a prestigious scientific magazine: this was actually the starting point of what we call computer viruses today.
At that time, a still young MS-DOS was starting to become the preeminent operating system worldwide. This was a system with great prospects, but still many deficiencies as well, which arose from software developments and the lack of many hardware elements known today. Even like this, this new operating system became the target of a virus in 1966: Brain, a malicious code created in Pakistan which infected boot sectors of disks so that their contents could not be accessed. That year also saw the birth of the first Trojan: an application called PC-Write.
Shortly after, virus writers realized that infecting files could be even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However, the worst was still to come: 1988 set the date when the "Morris worm" appeared, infecting 6,000 computers.
From that date up to 1995 the types of malicious codes that are known today started being developed: the first macro viruses appeared, polymorphic viruses... Some of these even triggered epidemics, such as MichaelAngelo. However, there was an event that changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by little, viruses started adapting to this new situation until the appearance, in 1999, of Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for computer viruses.
Source: http://www.pandasoftware.com
Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann described self-replicating programs which could resemble computer viruses as they are known today. However, it was not until the 60s that we find the predecessor of current viruses. In that decade, a group of programmers developed a game called Core Wars, which could reproduce every time it was run, and even saturate the memory of other players' computers. The creators of this peculiar game also created the first antivirus, an application named Reeper, which could destroy copies created by Core Wars.
However, it was only in 1983 that one of these programmers announced the existence of Core Wars, which was described the following year in a prestigious scientific magazine: this was actually the starting point of what we call computer viruses today.
At that time, a still young MS-DOS was starting to become the preeminent operating system worldwide. This was a system with great prospects, but still many deficiencies as well, which arose from software developments and the lack of many hardware elements known today. Even like this, this new operating system became the target of a virus in 1966: Brain, a malicious code created in Pakistan which infected boot sectors of disks so that their contents could not be accessed. That year also saw the birth of the first Trojan: an application called PC-Write.
Shortly after, virus writers realized that infecting files could be even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However, the worst was still to come: 1988 set the date when the "Morris worm" appeared, infecting 6,000 computers.
From that date up to 1995 the types of malicious codes that are known today started being developed: the first macro viruses appeared, polymorphic viruses... Some of these even triggered epidemics, such as MichaelAngelo. However, there was an event that changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by little, viruses started adapting to this new situation until the appearance, in 1999, of Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for computer viruses.
Source: http://www.pandasoftware.com
Definition of malware
Malware (a contraction of "malicious software") refers to software developed for the purpose of doing harm.
Malware can be classified based on how they get executed, how they spread, and/or what they do. The classification is not perfect, however, in the sense that the groups often overlap and the difference is often not obvious, giving rise to frequent flame wars.
The first form of malware to evolve was the computer virus. Viruses work and spread (within the infected system) by attaching themselves to other pieces of software (or in the case of macro viruses, documents), such that during the execution of the program the viral code is executed. Viruses spread across computers when the software or document they attached themselves to is transferred from one computer to the other.
Computer worms are similar to viruses but are stand-alone software and thus do not require other pieces of software to attach themselves to. They do modify their host operating system, however, at least to the extent that they are started as part of the boot process. To spread, worms either exploit some vulnerability of the target system or use some kind of social engineering to trick users into executing them.
Trojan horses are similar to viruses in that they get executed by being part of an otherwise useful piece of software. However, Trojan horses are attached to the host software manually, they can not infect other pieces of software the way viruses can. To spread, Trojan horses rely on the useful features of the host software, which trick users to install them.
A backdoor is a piece of software that allows access to the computer system bypassing the normal authentication procedures. Based on how they work and spread there are two groups of backdoors. The first group works much like a Trojan, i.e., they are manually inserted into another piece of software, executed via their host software and spread by their host software being installed. The second group works more like a worm in that they get executed as part of the boot process and are usually spread by worms carrying them as their payload.
Spyware is a piece of software that collects and sends information (such as browsing patterns in the more benign case or credit card numbers in more serious ones) on users. They usually work and spread like Trojan horses.
Because viruses were historically the first to appear, the term "virus" is often applied, especially in the popular media, to all sorts of malware. Modern anti-viral software strengthen this broader sense of the term as their operation is never limited to viruses.
Malware should not be confused with defective software, that is, software which is intended for a legitimate purpose but has errors or bugs.
Malware can be classified based on how they get executed, how they spread, and/or what they do. The classification is not perfect, however, in the sense that the groups often overlap and the difference is often not obvious, giving rise to frequent flame wars.
The first form of malware to evolve was the computer virus. Viruses work and spread (within the infected system) by attaching themselves to other pieces of software (or in the case of macro viruses, documents), such that during the execution of the program the viral code is executed. Viruses spread across computers when the software or document they attached themselves to is transferred from one computer to the other.
Computer worms are similar to viruses but are stand-alone software and thus do not require other pieces of software to attach themselves to. They do modify their host operating system, however, at least to the extent that they are started as part of the boot process. To spread, worms either exploit some vulnerability of the target system or use some kind of social engineering to trick users into executing them.
Trojan horses are similar to viruses in that they get executed by being part of an otherwise useful piece of software. However, Trojan horses are attached to the host software manually, they can not infect other pieces of software the way viruses can. To spread, Trojan horses rely on the useful features of the host software, which trick users to install them.
A backdoor is a piece of software that allows access to the computer system bypassing the normal authentication procedures. Based on how they work and spread there are two groups of backdoors. The first group works much like a Trojan, i.e., they are manually inserted into another piece of software, executed via their host software and spread by their host software being installed. The second group works more like a worm in that they get executed as part of the boot process and are usually spread by worms carrying them as their payload.
Spyware is a piece of software that collects and sends information (such as browsing patterns in the more benign case or credit card numbers in more serious ones) on users. They usually work and spread like Trojan horses.
Because viruses were historically the first to appear, the term "virus" is often applied, especially in the popular media, to all sorts of malware. Modern anti-viral software strengthen this broader sense of the term as their operation is never limited to viruses.
Malware should not be confused with defective software, that is, software which is intended for a legitimate purpose but has errors or bugs.
How does anti-virus software work?
An anti-virus software program is a computer program that can be used to scan files to identify and eliminate computer viruses and other malicious software (malware).
Anti-virus software typically uses two different techniques to accomplish this:
Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.
Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti virus software uses this technique less and less.
Other ways to detect viruses
Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.
Issues of concern
Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc.
User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-virus software.
Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
There are various methods of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses.
Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Anti-virus software".
Anti-virus software typically uses two different techniques to accomplish this:
- Examining files to look for known viruses by means of a virus dictionary
- Identifying suspicious behavior from any computer program which might indicate infection
Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.
Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more nonmalicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern anti virus software uses this technique less and less.
Other ways to detect viruses
Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.
Issues of concern
Macro viruses, arguably the most destructive and widespread computer viruses, could be prevented far more inexpensively and effectively, and without the need of all users to buy anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office related to the execution of downloaded code and to the ability of document macros to spread and wreak havoc.
User education is as important as anti-virus software; simply training users in safe computing practices, such as not downloading and executing unknown programs from the Internet, would slow the spread of viruses, without the need of anti-virus software.
Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses would not be able to spread.
The dictionary approach to detecting viruses is often insufficient due to the continual creation of new viruses, yet the suspicious behavior approach is ineffective due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
There are various methods of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses.
Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Anti-virus software".
Monday, August 8, 2011
Subscribe to:
Posts (Atom)