Virus – Antivirus Software. Page 2 Many thought (including experts in the field) that it was...
-
Upload
caren-osborne -
Category
Documents
-
view
213 -
download
0
Transcript of Virus – Antivirus Software. Page 2 Many thought (including experts in the field) that it was...
Page 2
Many thought (including experts in the field) that it was simply a myth invented a science fiction book, and that the media is trying to solidify in the minds of people a reality Although it does not correspond to reality. It is no more than a few viruses on the number of fingers in the first year to more than (15000) virus in the present day.
The Creeper virus was first detected on ARPANET, in early 1970s
The first pc virus was a boot sector virus called “brain”, created by Basit and Amjad Farooq Alvi, in 1986, Lahore, Pakistan.
This virus copies itself from the software.
History
Page 3
Computer viruses are small software programs designed to transfer from one computer to another.
“A virus is simply a computer program that is intentionally written to attach itself to other programs and replicate whenever those programs are executed ”.
Viruses can easily spread by e-mail attachment or instant messaging messages. Virus can be spread by downloading unnecessary files from Internet. Viruses can be disguised as attachments of funny images, greeting cards, or audio and video files.
Virus
Page 4
1. Reduction of copies of programs, as in the brain or virus. Pakistani .
2. Scientific research as in the virus STONED. Written by the famous and a graduate student in New Zealand and robbed by his brother, who eluded his friends wanted to transfer the virus to
3. The desire to challenge and highlight the intellectual capability of some people who mock their intelligence and abilities are bad, such as viruses. V2P.
4. The desire for revenge by some expelled from their programmers.
5. To encourage the purchase of anti-virus programs, as some companies to deploy the programming of new viruses, and then announce the new product to detect.
Reasons for writing viruses
Page 5
When we run infected program it loads into the memory and stars running as well. It also has an ability to infect other programs.
When virus runs unidentified programs it adds itself to it.
When we transfer some programs and files to our friend either through email, cd, and floppy disk, our friend’s computer can also be affected as well.
How Virus Works?
Page 6
In fact, the cases of the virus in the file by adding the same at the beginning or the end of the infected
file, without actually is any change in the components of the original file. To consider the following picture
shows the format of the non-infected?? Note that when the program call, it works normally??
Now imagine that the HIV infection. In fact, the same virus Paste As we have said in the program without
changing anything in the contents of the file. And how to be a paste, either by pasting the same at the
beginning of the program, is to be operated by the same program??? Enrollment may be a way that the
virus file itself in the end of the program involved. And mark at the beginning, then?? That this virus is
hiding at the end of the infected file, and put a sign in the introduction to the program so that when they
are called in the program and its operation, prevents the control of the virus, rather than the operation
of the program? In both cases, the virus may return after the completion of the the implementation of
work harmful to the operation of the program, but may not return as well. And cause damage to the
device.
How Virus Works?
Page 7
Worm: affects computers connected to the network automatically and non-human intervention, and this makes them spread faster and wider on the viruses. The difference between them is that the worms do not change or delete the files but the destroy system resources and the use of memory is terrible, which leads to a very noticeable slow system.
Disseminated through email in a very large
Trojan: It is a program of the temptation of the importance of the user name or form or, if attractive, and in fact is the program opened a back door so to speak once the operation, and through the back door by breaking the system is broken and can control the device significantly.
virus : virus needs to be intervention by the user in order to spread, of course, is to intervene after the operation had been downloaded from email or downloaded from the Internet or through the exchange of floppy disks .
The difference between…
Page 8
(1) start-up virus or Boot Sector Virus This type of boot sector viruses infect the body, may prevent the user from access to the system.
(2) virus files or File Virus: Usually affects the programs, the spread between the other files and other programs at the operation.
(3) virus or Micro Macro Virus These viruses affect Microsoft Office programs such as camping materials and Alixl,
(4) multi-parts of the virus Multipartite Virus And that file is infected with a boot at the same time and be devastating in many cases, if not prevent it.
(5) the evolving virus Polymorphic Virus Viruses rather sophisticated in that they change the code as it moved from one organ to another.
(6) the virus disappeared Stealth Virus The same mask that the patient makes a sound file and fool anti-virus and a sound file that is infected with a virus. With the development of anti-virus has become easy to detect this type.
Type
Page 10
Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.
Description
Page 11
When an infected file is executed the virus decrypts itself and drops a DLL file into the %System% directory. The DLL file is injected into other running processes. The virus then executes the host program code.
Many variants of Sality also attempt to infect executable files referenced by values in the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
the virus to run at each Windows start.
Method of Infection
Page 13
Steals System Information Some Sality variants collect information about the infected system and e-mail this information to
the domain mail.ru.
The information sent includes, but is not limited to, the following: OS version IP address Computer name Recent URLs visited Passwords ISP Dial up Connection details and Password
Payload
Page 14
Sality searches subdirectories on drives C:\ to Y:\ for files with the following extensions
.vdb .avc .exe
Deletes files
Page 15
Sality searches for and terminates any processes which match a list contained in its code; the following is an example of such a list:
When a processes is terminated Sality displays an error message to indicate a fake error condition.
Terminates Processes
Page 16
Some Sality trojan components modify the Windows Firewall settings to add themselves as authorized applications. This effectively allows these components to bypass the firewall.
Changes Firewall Settings
Page 17
Some Sality variants run an HTTP proxy on port 80 of the affected machine. The trojan contacts the domain shared-admin.com, and receives instructions to connect to the domain connect2me.org, which then returns an IP address. All requests sent to the proxy running on the affected machine are forwarded to the previously returned IP address.
HTTP Proxy
Page 18
- Must be found of the virus protection program on your computer. - Must be updated by periodically, and not only benefit from its existence. - Do not open attachments in any email sent is not known. - Do not open attachments in e-friends, if found end with exe or bat, or any extension you do not. - Update your operating system.
- Enable a firewall
How protect to your computer?
Page 19
Software's that attempt to identify and eliminate computer viruses and other malicious software (malware).
Sophisticated - But virus creators are always one step ahead.
Detection - This is the key to antivirus software.
Antivirus-Software
Page 20
Scanning
Integrity Checking
Interception/ Heuristic Detection
Scanning is the most commonly used technique in antivirus software.
Detection Techniques
Page 21
Also known as Virus Dictionary Approach.
Scanner scans the hard disk, memory, boot sector for code snippets.
If code snippet in a file matches any virus in the dictionary, appropriate action is taken.
Scanning
Page 22
Keeps track of threats by monitoring changes to files.
Maintains information about important files on disk, usually by calculating checksums
If a file changes due to virus activity, its checksum will change.
E.g. Norman Virus Control.
Integrity Checker
Page 23
Generic mechanism for virus detection.
Rule based.
Rules differentiate a virus from a non virus.
If a code snippet follows the defined rules, it is marked as a virus.
E.g. F-secure antivirus software.
Heuristic Virus Checking