Menu
homeBios

What types of malware are there? What types of malware are there?

Bots

Abbreviation for the word Robot(robot). Bots are programs designed to automate tasks.

Botnets

A botnet is a group of computers infected with bot programs, controlled from a single Control Center.

Hoaxes

A hoax is deliberate misinformation sent by email and spread by an unsuspecting target or an uninformed public. Hoaxes usually aim to provoke users into doing things that are actually unwise. Malicious hoaxes can, for example, provoke a user to delete important files operating system, declaring these files to be dangerous viruses.


In many cases, hoaxes link to credible institutions and companies to attract the attention of readers. For example, they use phrases like Microsoft warns that... or CNN reports... These messages often warn of harmful or even catastrophic consequences. Such warnings have a common feature - they encourage users to send these messages to everyone they know, which increases the life cycle of the hoax. 99.9% of messages of this kind are false.
Hoaxes cannot spread on their own; the only way to avoid falling for them is to check the accuracy of the information received before taking any action that it calls for.

Fraud

IN in a broad sense, fraud is the deception of computer users for the purpose of financial gain or outright theft. One of the most common types of scams is unauthorized faxes or emails from Nigeria or other West African countries. They seem like reasonable business proposals, but require upfront payments from the recipient. These offers are fraudulent and any payments made by victims of these scams are immediately stolen. Other common forms of fraud include phishing attacks through email and websites. Their goal is to gain access to sensitive data such as bank account numbers, PIN codes, etc. To achieve this goal, an email is sent to the user from a person pretending to be confidant or business partner (financial institution, insurance company).

The email appears to be genuine and contains graphic elements and content that may have come from a source that the message sender claims to be. The user is asked to enter personal information such as bank account numbers or usernames and passwords. Such data, if provided, may be intercepted and used for other purposes.
It should be noted that banks Insurance companies and other legitimate companies never ask for usernames and passwords in unsolicited email messages.

Potentially dangerous applications

Dangerous applications

Dangerous applications are called legal programs, which, although installed personally by the user, may compromise the security of the computer. An example would be commercial interceptors keyboard input or screenshots, remote access tools, password cracking tools, and security testing programs.

Malware

Term Malware(malware) - shortened version of the general term MALicious SoftWARE, meaning malware. Viruses, Trojan horses, worms and bots fall into certain categories of malware.

Additional functions such as data capture, file deletion, disc overwrite, overwrite BIOS etc., which may be included in viruses, worms or Trojan horses.

Phishing

The term comes from the word fishing(fishing). Phishing attacks are the sending of fabricated emails under the guise of different forms social and public activities, the purpose of which is to fraudulently obtain confidential personal information, such as credit card information or passwords.

Rootkits

Rootkit- a set of tools designed for secret control over a computer.

Spyware

Spyware uses the Internet to collect confidential information about the user without his knowledge. Some spyware collect information about the applications installed on your computer and the websites you visit. Other programs of this kind are created with much more dangerous intentions - they collect financial or personal data of users to use them for selfish and fraudulent purposes.

Trojans

Trojan horses are malicious programs that, unlike viruses and worms, cannot replicate themselves and infect files. They are usually found in the form of executable files ( .EXE, .COM) and do not contain anything other than the Trojan code itself. Therefore, the only way to deal with them is to remove them. Trojan programs are endowed with various functions - from intercepting keyboard input (logging and transmitting each keystroke) to deleting files (or formatting a disk). Some of them ( backdoor - programs) are intended for a special purpose - they install the so-called “back door” ( Backdoor).

Viruses

A virus is a program that activates by copying itself into executable objects. Viruses can enter your computer from other infected computers, through storage media (floppy disks, CDs, etc.) or through a network (local or Internet). The different types of viruses and their descriptions are listed below.

  1. File viruses
    2. Viruses that infect files attack executable programs, in particular, all files with extensions EXE And COM.
  2. Script viruses
    3. Script viruses are a type of file virus. They are written in various scripting languages ​​( VBS, JavaScript, BAT, PHP etc.). These viruses either infect other scripts (for example, Windows or Linux command and service files) or are part of multicomponent viruses. Script viruses can infect files of other formats that allow the execution of scripts, for example, HTML.
  3. Boot viruses
    4. They attack boot sectors (floppy or hard disk) and install their own routines that are loaded when the computer starts.
  4. Macro viruses
Macro viruses attack documents into which macro commands (macros) can be inserted. These viruses are often embedded in word processing or spreadsheet applications because macros are easily inserted into these types of files.

Another option for classifying viruses is by their mode of action. While direct-acting viruses perform their function immediately after the infected object is activated, resident viruses are stored and function in the computer’s memory.

Worms are independent programs that “reproduce” copies of themselves through the network. Unlike viruses (which require an infected file to spread, in which these viruses copy themselves), worms actively spread by sending copies of themselves through local network and Internet, email communications or through operating system vulnerabilities.
At the same time, they may contain additional stuffing - malicious programs (for example, they can install backdoor - programs, which are discussed below), although not only worms have this feature. Worms can cause great harm; they often clog communication channels through DoS attacks (Denial of Service- denial of service). Through the Internet, worms can spread throughout the world in a matter of minutes.

Backdoor - programs

Backdoor programs (Backdoor) are client-server applications that open to developers of such programs remote access to your computer. Unlike regular (legal) programs with similar functions, backdoor- programs establish access without the consent of the owner of the client computer.


Name for h1: Known viruses and their classification

Malware is intrusive or dangerous programs designed to secretly access a device without the owner's knowledge. There are several types of malware: spyware, adware, phishing, Trojans, ransomware, viruses, worms, rootkits and programs aimed at seizing control of the browser.

Sources of malware

Often, malware reaches a device via the Internet or email. However, its source can also be hacked sites, demo versions of games, music files, toolbars, various software, free subscriptions and everything you download from the Internet onto your device that does not have anti-malware protection.

How to recognize malware

Slow performance, pop-up messages, spam or malfunctions often indicate that the device is infected with malware. To check if this is the case, you can use a malware scanner (it is part of all malware removal tools).

How to remove malware

The best way to get rid of the problem is to use a reliable malware removal tool, which can be found in any quality antivirus product. Program Avast Free Antivirus and its Anti-Malware component can protect you from malware by quickly and easily removing it from your devices. It's not just a removal tool dangerous programs. It also provides constant, real-time protection against malicious attacks.

How to protect yourself from malware
  • Use powerful antivirus products that can also protect against malware.
  • Do not download files attached to email messages. mail from senders unknown to you.
Anti-malware programs

Using a modern antivirus solution is the most effective way to prevent, detect and remove malware from your computer. Most effective antivirus solution is Avast.

Introduction

Malicious program - a computer program or portable code designed to carry out threats to information stored in a computer system, or for hidden misuse of system resources, or other impact that interferes with normal functioning computer system.

Malicious software includes network worms, classic file viruses, Trojan horses, hacking tools and other programs that knowingly cause harm to the computer on which they are executed, or to other computers on the network.

Regardless of the type, malware is capable of causing significant damage by implementing any threat to information - threats to violate integrity, confidentiality, and availability.

The place where malware spreads globally is, of course, the Internet.

The Internet, without a doubt, is a necessary thing in our time, for some it is simply necessary. In a short period of time, you can find the information you need, get acquainted with the latest news, and also communicate with many people, all without leaving your home, office, etc. But do not forget that through this “thick pipe” hackers can easily break into your computer and gain access to your personal information.

Although hardware vendors and software, as well as government officials adopting the posture of protectors of personal information into which outside intrusion is unacceptable, there are serious reasons to fear that our travels on the Internet will not remain unnoticed by someone’s “attentive” eyes, anonymity and security are not guaranteed. Hackers can easily read email messages, and Web servers log everything, including even the list of Web pages viewed.

1. Evolution of virus systems

The first virus programs

1949 An American scientist of Hungarian origin, John von Naumann, developed a mathematical theory for creating self-replicating programs. This was the first theory of creation computer viruses, which has aroused very limited interest among the scientific community.

In the early 60s, engineers from the American company Bell Telephone Laboratories - V.A. Vysotsky, G.D. McIlroy and Robert Morris created the Darwin game. The game implied presence in memory computer the so-called supervisor, who determined the rules and procedure for the fight between rival programs created by the players. The programs had the functions of space exploration, reproduction and destruction. The point of the game was to delete all copies of the enemy's program and capture the battlefield.

Late 60s – early 70s. The appearance of the first viruses. In a number of cases, these were errors in programs that led to programs copying themselves, clogging HDD computers, which reduced their productivity, but it is believed that in most cases, viruses were deliberately created to destroy. Probably the first victim of a real virus, written by a programmer for entertainment, was the Univax 1108 computer. The virus was called Pervading Animal and infected only one computer - on which it was created.

Malware today

The problem of malware - adware and spyware - deserves increased attention as one of the most important troubles that modern computer users face every day. Their harmful effect is that they undermine the principle of computer reliability and violate privacy, violate confidentiality and break the relationship between the protected mechanisms of the computer, through some combination of spying actions. Similar programs often appear without the recipient's knowledge, and even when detected, they are difficult to get rid of. A noticeable decrease in performance, erratic changes in user settings and the appearance of new dubious toolbars or add-ons are just a few of the terrible consequences of a spyware or adware infection. Spyware and other malicious programs can also adapt to more subtle modes of computer operation and penetrate deeply into the complex mechanisms of the operating system in such a way as to greatly complicate their detection and destruction.

Reduced performance is probably the most noticeable effect of malware, as it directly affects the performance of the computer to such an extent that even a layman can detect it. If users are not so wary when advertising windows pop up every now and then, even if the computer is not connected to the Internet, then the responsiveness of the operating system will decrease, since threads malicious code compete with the system and useful programs, clearly indicates the emergence of problems. Program settings change, new features are mysteriously added, unusual processes appear in the task manager (sometimes there are a dozen of them), or programs behave as if someone else is using them and you have lost control over them. The side effects of malware (be it adware or spyware) lead to serious consequences, and yet many users continue to behave carelessly by opening the door wide to their computer.

IN modern Internet on average, every thirtieth letter is infected with a mail worm, about 70% of all correspondence is unwanted. With the growth of the Internet, the number of potential victims of virus writers increases; the release of new operating systems entails an expansion of the range of possible ways penetration into the system and variants of possible malicious load for viruses. Modern user the computer cannot feel safe in the face of the threat of becoming the object of someone’s cruel joke - for example, the destruction of information on the hard drive - the results of long and painstaking work, or the theft of a password for the mail system. It’s just as unpleasant to find yourself a victim mass mailing confidential files or links to a porn site. In addition to the already common theft of credit card numbers, cases of theft of personal data of players of various online games - Ultima Online, Legend of Mir, Lineage, Gamania - have become more frequent. In Russia, there have also been cases with the game “Fight Club”, where the real cost of some items at auctions reaches thousands of US dollars. Virus technologies for mobile devices have also developed. Not only Bluetooth devices, but also regular MMS messages (ComWar worm) are used as a penetration route.

2. Types of malware

2.1 Computer virus

Computer virus– a type of computer program, the distinctive feature of which is the ability to reproduce (self-replication). In addition to this, viruses can damage or completely destroy all files and data controlled by the user on whose behalf the infected program was launched, as well as damage or even destroy the operating system with all files as a whole.

Non-specialists sometimes classify other types of malicious programs as computer viruses, such as Trojans, spyware, and even spam. (Spam) is the sending of commercial, political and other advertising or other types of messages to persons who have not expressed a desire to receive them. The legality of mass mailing of certain types of messages that do not require the consent of recipients may be enshrined in the legislation of the country. For example, this may concern messages about impending natural disasters, mass mobilization of citizens, etc. In the generally accepted meaning, the term “spam” in Russian first began to be used in relation to sending emails) Tens of thousands of computer viruses are known that spread via the Internet throughout the world, organizing viral epidemics.

Viruses spread by inserting themselves into the executable code of other programs or by replacing other programs. For some time it was even believed that, being a program, a virus could only infect a program - any change not to a program is not an infection, but simply data corruption. It was understood that such copies of the virus would not gain control, being information not used by the processor as instructions. So, for example, unformatted text could not be a carrier of a virus.

However, later, attackers realized that not only executable code containing processor machine code can exhibit viral behavior. Viruses were written in the language batch files. Then macro viruses appeared, injecting themselves through macros into documents in programs such as Microsoft Word and Excel.

Some time later, hackers created viruses that exploit vulnerabilities in popular software (for example, Adobe Photoshop, Internet Explorer, Outlook), in general case processing regular data. Viruses began to spread by inserting into data sequences (for example, pictures, texts, etc.) special code exploiting software vulnerabilities.

2.2 Trojan

Malicious effects

Trojan (also – Trojan, Trojan, Trojan horse, troy) is a malicious program that penetrates a computer under the guise of a harmless one - a codec, screensaver, hacker software, etc.

Trojan horses do not have their own propagation mechanism, and this differs from viruses, which spread by attaching themselves to harmless software or documents, and worms, which replicate themselves across the network. However, a Trojan program can carry a viral body - then the person who launched the Trojan turns into a source of “infection”.

Trojan programs are extremely easy to write: the simplest of them consist of several dozen lines of code in Visual Basic or C++.

The name “Trojan program” comes from the name “Trojan horse” - a wooden horse, according to legend, given by the ancient Greeks to the inhabitants of Troy, inside which hid warriors who later opened the gates of the city to the conquerors. This name, first of all, reflects the secrecy and potential deceit of the true intentions of the program developer.

A Trojan program, when launched on a computer, can:

· interfere with the user's work (as a joke, by mistake or to achieve any other purpose);

· spy on the user;

· use computer resources for any illegal (and sometimes causing direct damage) activities, etc.

Trojan disguise

In order to provoke the user to launch a Trojan, the program file (its name, program icon) is called a service name, disguised as another program (for example, installing another program), a file of a different type, or simply given an attractive name, icon, etc. . An attacker can recompile existing program, adding malicious code to its source code, and then passing it off as the original or replacing it.

To successfully perform these functions, the Trojan can, to one degree or another, imitate (or even completely replace) the task or data file it is masquerading as (installation program, application program, game, application document, picture). Similar malicious and camouflage functions are also used by computer viruses, but unlike them, Trojan programs cannot spread on their own.

Spreading

Trojan programs are placed by the attacker on open resources (file servers, writable drives of the computer itself), storage media, or sent via messaging services (for example, e-mail) with the expectation that they will be launched on a specific, member of a certain circle, or arbitrary “ target computer.

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources (including third parties).

Removal methods

Trojans come in many types and forms, so there is absolutely no reliable protection from them.

To detect and remove Trojans, you must use antivirus programs. If the antivirus reports that when it detects a Trojan it cannot remove it, then you can try loading the OS from an alternative source and repeat the antivirus scan. If a Trojan is detected on the system, it can also be removed manually (safe mode is recommended).

It is extremely important to regularly update the anti-virus database of the anti-virus installed on your computer to detect Trojans and other malware, since many new malicious programs appear every day.

2.3 Spyware

Definition

Spyware (spyware) is a program that is secretly installed on a computer in order to fully or partially control the operation of the computer and the user without the latter’s consent.

Currently, there are many definitions and interpretations of the term spyware. The Anti-Spyware Coalition, which includes many major manufacturers of anti-spyware and anti-virus software, defines it as a monitoring software product installed and used without proper notification of the user, his consent and control by the user, that is, unauthorized installed.

Features of operation

Spyware can perform a wide range of tasks, for example:

· collect information about Internet usage habits and the most frequently visited sites (tracking program);

· remember keystrokes on the keyboard (keyloggers) and record screenshots of the screen (screen scraper) and subsequently send information to the creator of the spyware;

· unauthorized and remote control of a computer (remote control software) – backdoors, botnets, droneware;

Install on the user's computer additional programs;

· used for unauthorized analysis of the state of security systems (security analysis software) - port and vulnerability scanners and password crackers;

· change operating system parameters (system modifying software) - rootkits, control interceptors (hijackers), etc. - resulting in a decrease in the speed of the Internet connection or loss of the connection as such, opening other home pages or deleting certain programs;

· redirect browser activity, which entails visiting websites blindly with the risk of virus infection.

Legal uses of "potentially unwanted technologies"

· Tracking Software (tracking programs) are widely and completely legally used for monitoring personal computers.

· Adware may be openly included in free and shareware software, and the user agrees to view advertising in order to have any additional opportunity(for example, using this program is free). In this case, the presence of a program for displaying advertising must be explicitly stated in the agreement end user(EULA).

· Programs remote control and controls can be used for remote technical support or access to own resources located on a remote computer.

· Dialers can provide access to resources required by the user(for example, calling an Internet provider to connect to the Internet).

· Programs for system modification can also be used for personalization desired by the user.

· Automatic download programs can be used to automatically download application updates and OS updates.

· Programs for analyzing the state of the security system are used to study security computer systems and for other completely legal purposes.

· Passive tracking technologies can be useful in personalizing the web pages a user visits.

History and development

According to 2005 data from AOL and the National Cyber-Security Alliance, 61% of responding computers contained some form of spyware, of which 92% of users were unaware of the presence of spyware on their machines and 91% reported that they did not authorize the installation of spyware.

By 2006, spyware had become one of the prevailing security threats to computer systems using Windows. Computers that use Internet Explorer as their primary browser are partially vulnerable not because Internet Explorer is the most widely used, but because its tight integration with Windows allows spyware to gain access to key parts of the OS.

Before the release of Internet Explorer 7, the browser automatically presented an installation window for any ActiveX component that a website wanted to install. A combination of naive user ignorance regarding spyware and Internet Explorer's assumption that all ActiveX components are harmless contributed to mass distribution spyware Many spyware components also exploit flaws in JavaScript, Internet Explorer and Windows to install themselves without the user's knowledge and/or permission.

The Windows registry contains many sections that, after modifying the key values, allow the program to execute automatically when the OS boots. Spyware can use this pattern to bypass uninstallation and removal attempts.

Spyware usually attaches itself from every location in the registry that allows execution. Once running, spyware periodically checks to see if one of these links has been deleted. If yes, then it is automatically restored. This ensures that spyware will run during OS boot, even if some (or most) entries in the startup registry are removed.

Spyware, viruses and network worms

Unlike viruses and network worms, spyware usually does not reproduce itself. Like many modern viruses, spyware is introduced into a computer primarily for commercial purposes. Typical manifestations include displaying pop-up advertisements, stealing personal information (including financial information such as credit card numbers), tracking website browsing habits, or redirecting browser requests to advertising or pornography sites.

Telephone scam

Spyware creators can commit fraud on telephone lines using dialer-type programs. The dialer can reconfigure the modem to dial high-value phone numbers instead of the regular ISP. Connections to these untrustworthy numbers come at international or intercontinental rates, resulting in exorbitantly high phone bills. The dialer is not effective on computers without a modem or not connected to a telephone line.

Treatment and prevention methods

If the spyware threat becomes more than annoying, there are a number of methods to combat them. These include programs designed to remove or block the introduction of spyware, as well as various user tips aimed at reducing the likelihood of spyware entering the system.

However, spyware remains a costly problem. When a significant number of spyware elements have infected the OS, the only remedy is to save user data files and complete reinstallation OS.

Antispyware programs

Programs such as Ad-Aware (free for non-commercial use, additional services charge) from Lavasoft and Spyware Doctor from PC Tools ( free scan, spyware removal paid) have rapidly gained popularity as effective removal tools and, in some cases, barriers to spyware. In 2004, Microsoft acquired GIANT AntiSpyware, renaming it Windows AntiSpyware beta and releasing it as a free download for registered users of Windows XP and Windows Server 2003. In 2006, Microsoft renamed the beta version to Windows Defender which has been released as a free download (for registered users) since October 2006 and is included as a standard tool in Windows Vista.

2.4 Network worms

Network worm– a type of self-reproducing computer programs distributed in local and global computer networks. The worm is an independent program.

Some of the first experiments on the use of computer worms in distributed computing were conducted at the Xerox Palo Alto Research Center by John Shoch and Jon Hupp in 1978. The term was influenced by David Gerrold's science fiction novels When HARLEY Turned year" and John Brunner's "On the Shock Wave"

One of the most famous computer worms is the Morris Worm, written by Robert Morris Jr., who was a student at Cornell University at the time. The spread of the worm began on November 2, 1988, after which the worm quickly infected a large number of computers connected to the Internet.

Distribution Mechanisms

Worms can use various mechanisms (“vectors”) for propagation. Some worms require a specific user action to spread (for example, opening an infected message in an email client). Other worms can spread autonomously, selecting and attacking computers in a fully automatic manner. Sometimes there are worms with a whole range of different propagation vectors, victim selection strategies, and even exploits for different operating systems.

Structure

So-called RAM-resident worms are often isolated, which can infect a running program and reside in RAM without affecting hard disks. You can get rid of such worms by restarting the computer (and, accordingly, resetting the RAM). Such worms consist mainly of an “infectious” part: an exploit (shellcode) and a small payload (the worm body itself), which is located entirely in RAM. The specificity of such worms is that they are not loaded through a loader like all ordinary executable files, which means they can only rely on dynamic libraries that have already been loaded into memory by other programs.

There are also worms that, after successfully infecting memory, save code on the hard drive and take measures to subsequently run this code (for example, by writing the corresponding keys in the Windows registry). Such worms can only be gotten rid of using an antivirus or similar tools. Often, the infectious part of such worms (exploit, shellcode) contains a small payload, which is loaded into RAM and can “upload” the worm itself directly over the network in the form of a separate file. To do this, some worms may contain a simple TFTP client in the infectious part. The body of the worm loaded in this way (usually a separate executable file) is now responsible for further scanning and spreading from the infected system, and can also contain a more serious, full-fledged payload, the purpose of which could be, for example, causing some harm (for example, DoS -attacks).

Most email worms are distributed as a single file. They do not need a separate “infection” part, since usually the victim user, using an email client, voluntarily downloads and launches the entire worm.

2.5 Rootkits

Rootkit– a program or set of programs that use technologies for hiding system objects (files, processes, drivers, services, registry keys, open ports, connections, etc.) by bypassing system mechanisms.

The term rootkit historically comes from the world of Unix, where the term refers to a set of utilities that a hacker installs on a hacked computer after gaining initial access. These are, as a rule, hacker tools (sniffers, scanners) and Trojan programs that replace the main Unix utilities. A rootkit allows a hacker to gain a foothold in a compromised system and hide traces of his activities.

IN Windows system The term rootkit is usually considered to be a program that injects itself into a system and intercepts system functions or replaces system libraries. Interception and modification of low-level API functions, first of all, allows such a program to sufficiently mask its presence in the system, protecting it from detection by the user and anti-virus software. In addition, many rootkits can mask the presence in the system of any processes described in its configuration, folders and files on the disk, or keys in the registry. Many rootkits install their own drivers and services into the system (they are naturally also “invisible”).

Recently, the threat of rootkits has become increasingly relevant as developers of viruses, Trojans and spyware begin to embed rootkit technologies into their malware. One classic example is the Trojan-Spy program. Win32. Qukart, which masks its presence in the system using rootkit technology. Its RootKit mechanism works great on Windows 95, 98, ME, 2000 and XP.

Classification of rootkits

Conventionally, all rootkit technologies can be divided into two categories:

· Rootkits operating in user mode (user-mode)

· Rootkits running in kernel mode (kernel-mode)

Also, rootkits can be classified according to their operating principle and persistence. Based on the operating principle:

· Changing algorithms for performing system functions.

· Changing system data structures.

3. Signs that your computer is infected with a virus. Actions to take if an infection is detected

The presence of viruses on a computer is difficult to detect because they are hidden among ordinary files. This article describes in more detail the signs of a computer infection, as well as methods for recovering data after virus attack and measures to prevent them from being damaged by malware.

Signs of infection:

· displaying unexpected messages or images on the screen;

· giving unexpected sound signals;

· unexpected opening and closing of the CD-ROM device tray;

· arbitrary, without your participation, launching any programs on your computer;

· if there is a firewall on your computer, warnings will appear about an attempt by any of your computer programs to access the Internet, although you did not initiate this in any way.

If you notice something like this happening to your computer, it is highly likely that your computer is infected with a virus.

In addition, there are some characteristic signs of being infected by a virus via email:

· friends or acquaintances tell you about messages from you that you did not send;

· in your mailbox there are a large number of messages without a return address and header.

It should be noted that such symptoms are not always caused by the presence of viruses. Sometimes they can be a consequence of other reasons. For example, in the case of mail, infected messages may be sent with your return address, but not from your computer.

There are also indirect signs that your computer is infected:

· frequent freezes and computer malfunctions;

· Slow operation of the computer when launching programs;

· inability to load the operating system;

· disappearance of files and directories or distortion of their contents;

· frequent access to the hard drive (the light on the system unit blinks frequently);

· the Internet browser freezes or behaves unexpectedly (for example, the program window cannot be closed).

In 90% of cases, the presence of indirect symptoms is caused by a hardware or software failure. Despite the fact that such symptoms are unlikely to indicate an infection, if they appear, it is recommended to conduct a full scan of your computer with an antivirus program installed on it

Actions to take if an infection is detected:

1. Disconnect your computer from the Internet (from the local network).

2. If the symptom of infection is that you cannot boot from the computer's hard drive (the computer gives an error when you turn it on), try booting into crash protection mode or from the Windows emergency boot disk that you created when installing the operating system on computer.

3. Before taking any action, save the results of your work to external media (floppy disk, CD, flash drive, etc.).

4. Install an antivirus if you do not have any antivirus programs installed on your computer.

5. Get the latest updates to your anti-virus databases. If possible, to receive them, access the Internet not from your own computer, but from an uninfected computer of friends, an Internet cafe, or from work. It is better to use another computer, since when you connect to the Internet from an infected computer, there is a chance that the virus will send important information to attackers or spread the virus to addresses in your address book. That is why, if you suspect an infection, it is best to immediately disconnect from the Internet.

6. Run a full scan of your computer.

4. Anti-malware methods

virus computer trojan infection

There is no 100% protection against all malware: no one is immune from exploits like Sasser or Conficker. To reduce the risk of losses from malware, we recommend:

· use modern operating systems that have a serious level of protection against malware;

· install patches in a timely manner; if there is an automatic update mode, enable it;

· constantly work on a personal computer exclusively under user rights, and not as an administrator, which will not allow most malicious programs to be installed on a personal computer;

· use specialized software products that use so-called heuristic (behavioral) analyzers to counter malware, that is, those that do not require a signature base;

· use anti-virus software products famous manufacturers, with automatic updating of signature databases;

· use a personal Firewall that controls access to the Internet from a personal computer based on policies set by the user;

· limit physical access to the computer of unauthorized persons;

· use external media only from trusted sources;

· Don `t open computer files received from unreliable sources;

· disable autorun from removable media, which will not allow codes that are on it to run without the user’s knowledge (for Windows you need gpedit.msc->Administrative Templates (User Configuration)->System->Disable Autorun->Enabled “on all drives” ).

Modern protection against various forms of malware includes many software components and methods for detecting “good” and “bad” applications. Today, antivirus vendors build scanners into their programs to detect spyware and other malicious code, so everything is done to protect the end user. However, no anti-spyware package is perfect. One product may be too close to programs, blocking them at the slightest suspicion, including “cleaning out” useful utilities that you regularly use. Another product is more program-friendly, but may miss some spy code. So, unfortunately, there is no panacea.

Unlike antivirus packages, which regularly score 100% effective at detecting viruses in professional testing conducted by experts such as Virus Bulletin, no anti-adware package scores above 90%, and many other products measure between 70% effective. and 80%.

This explains why using, for example, an antivirus and an antispyware program simultaneously is the best way to fully protect your system from dangers that may come unexpectedly. Practice shows that one package should be used as a permanent "blocker" that is loaded every time the computer is turned on (for example, AVP 6.0), while another package (or more) should be run at least once a week to provide additional scanning (eg Ad-Aware). Thus, what one packet misses, another can detect.

5. Classification of antivirus programs

Types of antivirus programs

Evgeny Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (determining functionality):

· Scanners(outdated version - “polyphages”) - determine the presence of a virus using a signature database that stores signatures (or their checksums) viruses. Their effectiveness is determined by their relevance virus base and the presence of a heuristic analyzer (see: Heuristic scanning).

· Auditors(a class close to IDS) – they remember the state of the file system, which makes it possible to analyze changes in the future.

· Watchmen(monitors) – monitor potentially dangerous operations, issuing the user a corresponding request to allow / prohibit the operation.

· Vaccines– change the grafted file in such a way that the virus against which the graft is being given already considers the file infected. In modern (2007) conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

Products for home users:

· Actually antiviruses;

· Combined products (for example, antispam, firewall, anti-rootkit, etc. are added to the classic antivirus);

Corporate Products:

· Server antiviruses;

· Antiviruses on workstations (“endpoint”).

Modern antivirus agents protection and their main functional features

BitDefender Antivirus Plus v10.

Main functional features:

· Heuristics in Virtual Environment function – emulation of a virtual machine, with the help of which potentially dangerous objects are scanned using heuristic algorithms;

· automatic verification of data transmitted via the POP3 protocol, support for the most popular email clients (MS Exchange, MS Outlook, MS Outlook Express, Netscape, Eudora, Lotus Notes, Pegasus, The Bat and others);

· protection against viruses spreading through Peer-2-Peer file-sharing networks;

· creating a personal spam list for the user.

CPU Intel Pentium II 350 MHz, 128 MB RAM, 60 MB free space on the hard drive, Windows 98/NT/Me/2000/XP.

Eset NOD32 2.5

· heuristic analysis to detect unknown threats;

· ThreatSense technology – file analysis to detect viruses, spyware, unsolicited advertising (adware), phishing attacks and other threats;

· checking and removing viruses from write-locked files (for example, DLLs protected by the Windows security system);

· verification of HTTP, POP3 and PMTP protocols.

Minimum system requirements: Intel Pentium processor, 32 MB RAM, 30 MB free hard disk space, Windows 95/98/NT/Me/2000/XP.

Kaspersky Anti-Virus 6.0

Main functional features:

· traffic checking at the POP3, IMAP and NNTP protocol level for incoming messages and SMTP for outgoing messages, special plugins for Microsoft Outlook, Microsoft Outlook Express and The Bat!;

· warning the user if changes are detected both in normal processes and when hidden, dangerous and suspicious processes are detected;

· control of changes made to the system registry;

· blocking dangerous Visual Basic for Applications macros in Microsoft Office documents.

Minimum system requirements: Intel Pentium 133 MHz processor, 32 MB RAM, 50 MB free hard disk space, availability Microsoft systems Windows 98/NT/2000/Me/XP.

McAfee VirusScan Pro 10 (2006)

Main functional features:

· protection against viruses, macro viruses, Trojans, Internet worms, spyware, adware, malicious ActiveX and Java controls;

· automatic checking of incoming (POP3) and outgoing (SMTP) email;

· ScriptStopper and WormStopper technologies to block malicious activity of scripts and worms.

Minimum system requirements: Intel Pentium 133 MHz processor, 64 MB RAM, 40 MB free hard disk space, Windows 98/Me/2000/XP.

Dr. Web 4.33a

Main functional features:

· protection against worms, viruses, Trojans, polymorphic viruses, macro viruses, spyware, dialers, adware, hacker utilities and malicious scripts;

· updating anti-virus databases up to several times per hour, the size of each update is up to 15 KB;

· checking the computer's system memory to detect viruses that do not exist in the form of files (for example, CodeRed or Slammer);

· a heuristic analyzer that allows you to neutralize unknown threats before the corresponding virus database updates are released.

Minimum system requirements: availability of Windows 95/98/NT/Me/2000/XP. The hardware requirements correspond to those stated for the specified OS.

Conclusion

If you have never encountered computer viruses before, you will definitely encounter them. There was a time when anti-virus software was just appearing, and viruses were already in full effect, causing millions of dollars in losses every day. Today, of course, viruses can also make our lives unbearable, but in most cases, even the average user can clean their PC of malware. But a few years ago you had to completely format your hard drive and start all over again. But even this did not always lead to the desired result.

Remember: to protect your computer, you need an installed and updated antivirus program. Don’t fall for scammers’ tricks, ignore spam, and be careful when installing unlicensed programs on your PC.

List of sources

1. ITipedia http://www.itpedia.ru/index.php/

2. Wikipedia (free encyclopedia) http://ru.wikipedia.org/wiki/

3. article http://roox.net.ru/infosec/04/

4. article http://www.thg.ru/software/malware_spyware_faq/index.html

5. article http://www.oxpaha.ru/publisher_234_28501

CONCEPT AND TYPES OF MALWARE

The first reports of harmful programs deliberately and covertly introduced into the software of various computer systems appeared in the early 80s. The name “computer viruses” comes from its similarity to a biological prototype, in terms of the ability to reproduce independently. To the new computer area Some other medical and biological terms were also transferred, for example, mutation, strain, vaccine, etc. A message about programs that, when certain conditions occur, begin to produce harmful actions, for example, after a certain number of starts they destroy the information stored in the system, but when However, they do not have the ability to self-replicate characteristic of viruses; they appeared much earlier

1.Luke. A condition that facilitates the implementation of many types of information security threats in information technologies is the presence of “traps”. The hatch is usually inserted into the program at the debugging stage to make work easier: this module can be called in different places, which allows you to debug individual parts of the program independently. The presence of a hatch allows you to call the program in a non-standard way, which may affect the state of the security system. Hatches can remain in the program by various reasons. Detection of hatches is the result of a random and labor-intensive search. There is only one protection against hatches - do not allow them to appear in the program, and upon acceptance software products developed by other manufacturers should be analyzed source texts programs for the purpose of detecting hatches.

2. Logic bombs are used to distort or destroy information; less often, they are used to commit theft or fraud. A logic bomb is sometimes inserted during program development, and it is triggered when some condition is met (time, date, code word). Manipulating logic bombs is also something that dissatisfied employees who are planning to leave the organization do, but these can also be consultants, employees with certain political beliefs, etc. Real example logic bomb: a programmer, anticipating his dismissal, makes certain changes to the payroll program, which begin to take effect when his name disappears from the company’s personnel data set.

3. Trojan Horse- a program that performs, in addition to the main, i.e., designed and documented actions, additional actions not described in the documentation. The analogy with the ancient Greek Trojan horse is justified - in both cases, a threat lurks in an unsuspicious shell. A Trojan horse is an additional block of commands inserted in one way or another into the original harmless program, which is then transferred (donated, sold) to IT users. This block of commands can be triggered when a certain condition occurs (date, time, by external command, etc.). A Trojan horse usually acts within the authority of one user, but in the interests of another user or even a stranger, whose identity is sometimes impossible to establish. A Trojan horse can perform the most dangerous actions if the user who launched it has an extended set of privileges. In this case, an attacker who has created and introduced a Trojan horse and does not have these privileges himself can perform unauthorized privileged functions using the wrong hands. A radical way to protect against this threat is to create a closed environment for using programs.



4. Worm- a program that spreads through the network and does not leave a copy of itself on a magnetic medium.

The worm uses network support mechanisms to determine which host may be infected. Then, using the same mechanisms, it transfers its body or part of it to this node and either activates or waits for suitable conditions for this. A suitable environment for a worm to spread is a network where all users are considered friendly and trust each other, and there are no protective mechanisms. The best way to protect against a worm is to take precautions against unauthorized network access

5. Password Grabber- These are programs specifically designed to steal passwords. When a user tries to access the workstation, the information necessary to end the work session is displayed on the screen. When attempting to log in, the user enters a name and password, which are sent to the owner of the invader, after which an error message is displayed and input and control are returned to the operating system. A user who thinks he made a mistake when typing his password logs in again and gains access to the system. However, its name and password are already known to the owner of the invader program. Password interception is also possible in other ways. To prevent this threat, before logging in, you must ensure that you enter your username and password exactly system program input, and not any other. In addition, you must strictly adhere to the rules for using passwords and working with the system. Most violations occur not due to clever attacks, but due to simple negligence. Compliance with specially developed rules for using passwords - necessary condition reliable protection.

7. Computer virus It is customary to refer to a specially written, usually small program that is capable of spontaneously attaching to other programs (i.e., infecting them), creating copies of itself (not necessarily completely identical to the original) and introducing them into files, system areas of a personal computer, and other computers connected to it for the purpose of violating normal operation programs, damaging files and directories, creating various interferences when working on a computer.

TYPES OF COMPUTER VIRUSES, THEIR CLASSIFICATION

The way most viruses function is by this change system files PC, so that the virus begins its activity every time the personal computer is booted. Some viruses infect system boot files, others specialize in various program files. Whenever a user copies files onto a computer storage medium or sends infected files over a network, the transmitted copy of the virus tries to install itself on new disk. All actions of the virus can be performed quite quickly and without issuing any messages, so the user often does not notice that his PC is infected and does not have time to take appropriate appropriate measures. To analyze the effects of computer viruses, the concept life cycle virus, which includes four main stages:

1. Implementation

2. Incubation period (primarily to hide the source of penetration)

3. Reproduction (self-propagation)

4. Destruction (distortion and/or destruction of information)

The targets of computer viruses can be divided into two groups:

1. In order to prolong their existence, viruses infect other programs, and not all, but those that are most often used and/or have a high priority in information

2. Viruses most often act with destructive purposes on data, and less often on programs.

Methods of manifestation of computer viruses include:

Slowdown of the personal computer, including freezing and stopping;

Changing data in the corresponding files;

Inability to load the operating system;

Termination of operation or incorrect operation of a previously successfully functioning user program;

Increasing the number of files on disk;

Changing file sizes;

Malfunction of the operating system, which requires periodic rebooting;

Periodic appearance of inappropriate messages on the monitor screen;

The appearance of sound effects;

Reducing the amount of free RAM;

A noticeable increase in hard drive access time;

Changing the date and time of file creation;

Destruction of the file structure (disappearance of files, corruption of directories);

The disk drive warning light comes on when there is no user access to it;

Formatting a disk without user command, etc.

Viruses can be classified according to the following characteristics:

1. By type of habitat Viruses are classified into the following types:

· boot are embedded in the boot sector of the disk or in the sector containing the boot program system disk;

· file are embedded mainly in executable files with extensions .COM And .EXE;

· systemic penetrate system modules and drivers peripheral devices, file allocation tables and partition tables;

· network viruses live in computer networks;

· file-boot They affect boot sectors of disks and application program files.

2. According to the degree of impact on the resources of computer systems and networks stand out :

harmless viruses , that do not have a destructive effect on the operation of a personal computer, but can overfill the RAM as a result of their reproduction;

non-hazardous viruses do not destroy files, but reduce free disk memory, display graphic effects on the screen, create sound effects etc.;

dangerous viruses often lead to various serious disruptions in the operation of a personal computer and all information technology;

destructive lead to the erasure of information, complete or partial disruption of application programs... etc.

3. According to the method of infection of the habitat viruses are divided into the following groups:

resident viruses When a computer is infected, they leave their resident part in the RAM, which then intercepts the operating system's calls to other infection objects, infiltrates them and carries out its destructive actions until the computer is turned off or rebooted. Resident program is a program that is permanently located in the RAM of a personal computer.

non-resident viruses do not infect the RAM of a personal computer and are active for a limited time.

4. Algorithmic feature of constructing viruses influences their manifestation and functioning. The following types of viruses are distinguished:

§ replicator, due to their rapid reproduction, they lead to overflow of the main memory, while the destruction of replicator programs becomes more difficult if the reproduced programs are not exact copies of the original;

§ mutating over time they change and self-produce. At the same time, self-reproducing, they recreate copies that are clearly different from the original;

§ stealth viruses (invisible) intercept calls from the operating system to infected files and disk sectors and substitute uninfected objects in their place. When accessing files, such viruses use rather original algorithms that allow them to “deceive” resident anti-virus monitors;

§ macroviruses use the capabilities of macro languages ​​built into office data processing programs ( text editors, spreadsheets, etc.).

Malicious program-- any software designed to gain unauthorized access to the computing resources of the computer itself or to information stored on the computer for the purpose of unauthorized use of computer resources or causing harm to the owner of the information (or the owner of the computer) by copying, distorting, deleting or substituting information.

Malicious software is divided into three main classes: computer viruses, network worms, and Trojan horses. Let's look at each of them in more detail.

Computer viruses

This class of malware is the most common among the others.

A computer virus is a type of computer program, the distinctive feature of which is the ability to reproduce (self-replication). In addition to this, viruses can damage or completely destroy all files and data controlled by the user on whose behalf the infected program was launched, as well as damage or even destroy the operating system with all files as a whole.

Usually, the penetration of a virus onto a user’s personal computer is the fault of the user himself, who does not check the information entering the computer with an antivirus program, as a result of which, in fact, infection occurs. There are quite a few ways to “infect” a computer with a classic virus (external storage media, Internet resources, files distributed over the network)

Viruses are divided into groups according to two main characteristics: by habitat, by method of infection.

Based on their habitat, viruses are divided into:

  • · File(injected into executable files)
  • · Boot(injected into the boot sector of the disk or into the sector containing the hard drive system boot loader)
  • · Network(distributed over a computer network)
  • · Combined(for example, file-boot viruses that infect both files and the boot sector of the disk. These viruses have original way penetration and complex operating algorithm)

According to the method of infection they are divided into:

Network worms

The next big class of malware is called “Network Worms.”

A network worm is a malicious program code that spreads copies of itself across local and/or global networks with the purpose of infiltrating a computer, launching its copy on this computer and further distribution. To spread, worms use email, irc networks, lan, data exchange networks between mobile devices, etc. Most worms are distributed in files (attachments to letters, links to files). But there are also worms that spread in the form of network packets. Such varieties penetrate directly into the computer’s memory and immediately begin to act resident. Several ways are used to penetrate a victim computer: self-directed (package worms), user-directed (social engineering), as well as various flaws in the security systems of the operating system and applications. Some worms have properties of other types of malware (most often Trojan horses).

Classes of network worms:

Email Worms. This malicious system, which is in a file attached to the email. The authors of the mail worm use any means to encourage the attached file with the virus to be executed. It is disguised as a new game, update, or popular program. Activating activity on your computer, the mail worm first sends out a copy of itself via e-mail, using your address book, and then causes harm to your computer.

  • · Internet Messenger Worms (IM-Worm). The action of this “worm” almost completely repeats the distribution method used by mail worms, only the carrier is not an email, but a message implemented in instant messaging programs
  • · Worms for file-sharing networks (P2P-Worm). To infiltrate a P2P network, a worm only needs to copy itself into a file sharing directory, which is usually located on the local machine. The P2P network takes care of all the rest of the work on its distribution - when searching for files on the network, it will report remote users about this file and will provide a service for downloading it from the infected computer.

There are more complex worms of this type that imitate the network protocol of a specific file-sharing system and respond positively to search queries. In this case, the worm offers a copy of itself for downloading.

Using the first method, the worm searches the network for machines with resources open for writing and copies. At the same time he can randomly find computers and try to open access to resources. To penetrate using the second method, the worm looks for computers with installed software that contains critical vulnerabilities. Thus, the worm sends a specially crafted packet (request), and part of the “worm” penetrates the computer, after which it downloads the full body file and launches it for execution.

Trojans

Trojans or programs of the “Trojan horse” class are written with the goal of causing damage to the target computer by performing unauthorized actions by the user: data theft, damage or deletion of confidential data, disruption of the PC or the use of its resources for unseemly purposes.

Some Trojan programs are capable of independently overcoming security systems computing system in order to penetrate it. However, in most cases, they enter the PC along with another virus. Trojan horses can be considered additional malware. Often, users themselves download Trojan programs from the Internet.

The Trojan activity cycle can be defined by the following stages:

  • - penetration into the system.
  • - activation.
  • - performing malicious actions.

Trojan programs differ from each other in the actions they perform on an infected PC.

  • · Trojan-PSW. Purpose - Stealing passwords. This type of Trojan can be used to search for system files that store various confidential information (for example, passwords), and “steal” registration information for various software.
  • · Trojan-Downloader. Purpose - Delivery of other malicious programs. Activates programs downloaded from the Internet (launch for execution, registration for autoload)
  • · Trojan-Dropper. Installation on disk of others malicious files, their launch and execution
  • · Trojan-proxy. They provide anonymous access from the “victim’s” PC to various Internet resources. Used to send spam.
  • · Trojan-Spy. They are spyware. They carry out electronic espionage on the user of an infected PC: entered information, screenshots, a list of active applications, user actions are saved in a file and periodically sent to the attacker.
  • · Trojan(Other Trojans). They carry out other actions that fall under the definition of Trojan programs, for example, destruction or modification of data, disruption of the PC.
  • · Backdoor. Are utilities remote administration. They can be used to detect and transfer confidential information to an attacker, destroy data, etc.
  • · ArcBomb (“Bombs” in the archives). Causes abnormal behavior of archivers when trying to unpack data
  • RootKit. Purpose - Hiding presence in the operating system. By using program code the presence of certain objects in the system is hidden: processes, files, registry data, etc.

Of these, the most widely used spyware is Trojan-Spy and RootKit (rootkits). Let's look at them in more detail.

Rootkits. In the Windows system, RootKit is considered to be a program that unauthorizedly injects itself into the system, intercepts calls to system functions (API), and modifies system libraries. Interception of low-level APIs allows such a program to mask its presence on the system, protecting it from detection by the user and anti-virus software.

Conventionally, all rootkit technologies can be divided into two categories:

  • · Rootkits operating in user mode (user-mode)
  • · Rootkits running in kernel mode (kernel-mode)

Sometimes rootkits arrive in email attachments, masquerading as documents of different formats (for example, PDF). In fact, such an “imaginary document” is executable file. By trying to open it, the user activates the rootkit.

The second way of distribution is through sites that have been manipulated by hackers. The user opens a web page and the rootkit gets into his computer. This is possible due to security flaws in browsers. computer file program

Rootkits can be planted not only by attackers. There is a well-known case where Sony Corporation built something like a rootkit into its licensed audio discs. Rootkits are essentially most copy protection software (and means of bypassing these protections - for example, CD and DVD drive emulators). They differ from “illegal” ones only in that they are not installed secretly from the user.

Spyware. Such programs can perform a wide range of tasks, for example:

  • · Collect information about Internet usage habits and the most frequently visited sites (tracking program);
  • · Remember keystrokes on the keyboard (keyloggers) and record screenshots of the screen (screen scraper) and subsequently send information to the creator;
  • · Used for unauthorized analysis of the state of security systems - port and vulnerability scanners and password crackers;
  • · Change operating system parameters - rootkits, control interceptors, etc. - resulting in a decrease in the speed of the Internet connection or loss of the connection as such, opening other home pages or deleting certain programs;
  • · Redirect browser activity, which entails visiting websites blindly with the risk of virus infection.

Remote monitoring and control programs can be used for remote technical support or access to your own resources that are located on a remote computer.

Passive tracking technologies can be useful in personalizing the web pages a user visits.

These programs themselves are not viruses, but for one reason or another they are included in antivirus databases. Typically this is small programs, having a small zone of influence and, like viruses, are ineffective.

  • · Adware is a general name for software that forcefully displays advertisements.
  • · Bad-Joke - evil jokes. Programs that frighten the user with an unexpected and non-standard discovery or use graphics. These can also be programs that issue false messages about formatting the disk or stopping the program, etc.
  • · Sniffer - a program designed to intercept and subsequently analyze network traffic.
  • · SpamTool is a program designed for sending spam (as a rule, the program turns a computer into a spam sending machine).
  • · IM-Flooder is a program that allows you to send various messages in large quantities to a given IM messenger number.
  • · VirTool - utilities designed to make it easier to write computer viruses and to study them for hacker purposes.
  • · DoS (Denial of service) is a malicious program designed to carry out a Denial of Service attack on a remote server.
  • · FileCryptor, PolyCryptor - hacking utilities used to encrypt other malicious programs in order to hide their contents from anti-virus scanning.