Menu
homeFiles and folders

A method for neutralizing malware that blocks the operation of a PC, using a separate device for the user to activate the anti-malware procedure. General characteristics of computer neutralization tools

Classification of viruses

Since the theoretical problem of detecting viruses is unsolvable, in practice it is necessary to solve particular problems of combating particular cases of malware.

Depending on the characteristic properties of viruses, various methods can be used to detect and neutralize them. This raises the question of classifying malware, which is what this chapter is devoted to.

It should be noted that in practice, the classifications adopted by various manufacturers of antivirus products differ, although they are built on similar principles. Therefore, during the presentation, principles will be formulated first and then examples from the classification used at Kaspersky Lab.

Defining a computer virus is a historically problematic issue, since it is quite difficult to give a clear definition of a virus, while outlining properties that are unique to viruses and do not apply to other software systems. On the contrary, when giving a strict definition of a virus as a program that has certain properties, one can almost immediately find an example of a virus that does not have such properties.

Mandatory (necessary) property of a computer virus is the ability to create your own duplicates (not necessarily identical to the original) and implement them into computer networks and (or) files, system areas of the computer and other executable objects. At the same time, duplicates retain the ability to further spread.

Virus(according to GOST R 51188–98) – a program capable of creating copies of itself (not necessarily identical to the original) and introducing them into files, system areas of a computer, computer networks, as well as carrying out other destructive actions. At the same time, copies retain the ability to be further distributed. A computer virus is a type of malicious program.

It is easy to notice that the definition in GOST almost completely repeats the definition of E. Kaspersky.

These two definitions largely repeat the definition of F. Cohen or the clarification proposed by D. Chess and S. White, which allows us to extend to them (the definitions) the conclusion that it is impossible to create an algorithm that detects all such programs or even all “incarnations” of one of the viruses . However, in practice it turns out that all known viruses can be detected by antivirus programs. The result is achieved, in particular, due to the fact that damaged or unsuccessful copies of viruses, incapable of creating and introducing copies of themselves, are detected and classified along with all other “full-fledged” viruses. Therefore, from a practical point of view, i.e. From the point of view of search algorithms, the ability to reproduce is not at all necessary for a program to be classified as a virus.

Another problem associated with the definition of a computer virus lies in the fact that today a virus most often means not a “traditional” virus, but almost any malicious program. This leads to confusion in terminology, further complicated by the fact that almost all modern antiviruses are able to detect these types of malware, thus the association “malware – virus” is becoming more and more stable.

Based on this, as well as on the purpose of anti-virus tools, in the future, unless otherwise specified, viruses will be understood as malicious programs.

Malicious program – a computer program or portable code designed to implement threats to information stored in the CS, or for hidden misuse of CS resources, or other impacts that impede the normal functioning of the CS. Malicious programs include computer viruses, Trojans, network worms, etc.

Computer viruses, Trojan horses and worms are the main types of malware.

5.1.1. Viruses

Since a distinctive feature of viruses in the traditional sense is the ability to reproduce within one computer, viruses are divided into types in accordance with the methods of reproduction.

The reproduction process itself can be divided into several stages:

1. Computer penetration.

2. Activation of the virus.

3. Search for objects to infect.

4. Preparation of virus copies.

5. Introduction of viral copies.

The implementation features of each stage give rise to attributes, the set of which actually determines the class of the virus.

Viruses penetrate the computer along with infected files or other objects (boot sectors of floppy disks), unlike worms, without affecting the penetration process. Consequently, the possibilities of penetration are completely determined by the possibilities of infection, and there is no point in classifying viruses separately according to these stages of the life cycle.

To activate the virus, the infected object must gain control. At this stage, viruses are divided according to the types of objects that can be infected:

1. Boot viruses – viruses that infect boot sectors of permanent and removable media.

Examples. Malicious program Virus.Boot.Snow.a writes his code in MBR hard drive or boot sectors of floppy disks. In this case, the original boot sectors are encrypted by the virus. After receiving control, the virus remains in the computer memory (residence) and intercepts the INT 10h, 1Ch and 13h interrupts. Sometimes a virus manifests itself as a visual effect – snow begins to fall on the computer screen.

Another boot virus, Virus.Boot.DiskFiller, also infects MBR hard drives or boot sectors of floppy disks, remains in memory and intercepts interrupts - INT 13h, 1Ch and 21h. At the same time, when infecting floppy disks, the virus formats an additional track numbered 40 or 80 (depending on the size of the floppy disk, it can have 40 or 80 tracks numbered 0–39 or 0–79, respectively). It is on this non-standard track, outside the field of normal visibility, that the virus writes its code, adding only a small fragment to the boot sector - the head part of the virus.

When infecting a hard drive, Virus.Boot.DiskFiller places its code directly behind the MBR, and in the MBR itself it changes the reference to the active boot sector, indicating the address of the sector where it is located.

2. File viruses – viruses that infect files. This group is further divided into three depending on the environment in which the code is executed.

Actually file viruses– those that directly work with operating system resources.



Examples. The most famous file virus of this group is Virus.Win9x.CIH, also known as “Chernobyl”. Having a small size - about 1 KB - the virus infects PE (Portable Executable) files on computers running Windows 95/98 operating systems in such a way that the size of the infected files does not change. To achieve this effect, the virus looks for “empty” areas in files that arise due to the alignment of the beginning of each section of the file to multiple byte values. After gaining control, the virus intercepts the IFS API, monitoring calls to the file access function and infecting executable files. On April 26, the destructive function of the virus is triggered, which is to erase the Flash BIOS and the initial sectors of hard drives. The result is the inability of the computer to boot at all (in the event of a successful attempt to erase Flash BIOS) or loss of data on all hard drives of the computer.

Among the latest malware with viral functionality, we can mention Email-Worm.Win32.Bagle.p (as well as its modifications.q and.r). Being primarily a worm whose main distribution channel is via email, Bagle.p also contains the function of infecting EXE files by adding polymorphic virus code to the end of them.

Macro viruses– viruses written in macro language and executed in the environment of an application. In the vast majority of cases we are talking about macros in documents Microsoft Office.

Examples. Some of the most destructive macroviruses are members of the Macro.Word97.Thus family. These viruses contain three procedures Document_Open, Document_Close and Document_New, which replace standard macros that are executed when opening, closing and creating a document, thereby infecting other documents. On December 13, the destructive function of the virus is triggered - it deletes all files on the C: drive, including directories and subdirectories.

The Macro.Word97.Thus.aa modification, in addition to the specified actions, when opening each infected document, selects a random file on the local disk and encrypts the first 32 bytes of this file, gradually rendering the system inoperable.

Macro viruses can infect not only Microsoft Word and Excel documents. There are malware that target other types of documents: Macro.Visio.Radiant infects files of the well-known diagramming program Visio, Virus.Acad.Pobresito infects AutoCAD documents, Macro.AmiPro.Green infects documents in the previously popular Ami Pro word processor.

Script viruses– viruses executed in the environment of a specific command shell: before – bat-files in the command shell DOS, now more often VBS And JS-scripts in the command shell Windows Scripting Host (WSH).

Examples. Virus.VBS.Sling is written in VBScript (Visual Basic Script). When launched, it looks for files with .VBS or .VBE extensions and infects them. When June or July 16th occurs, the virus deletes all files with the .VBS and .VBE extensions, including itself, when launched.

Virus.WinHLP.Pluma.a is a virus that infects Windows help files. When an infected help file is opened, a viral script is executed, which, using a non-trivial method (essentially a vulnerability in script processing), launches a certain line of code contained in the script for execution as a regular Windows file. The launched code searches for help files on the disk and injects an autorun script into their System area.

During the era of DOS viruses, hybrid file-boot viruses were common. After a massive transition to operating systems of the family Windows Both the boot viruses themselves and the mentioned hybrids have practically disappeared.

Separately, it is worth noting the fact that viruses designed to work in the environment of a specific OS or application turn out to be ineffective in the environment of other OSes and applications. Therefore, the environment in which it is capable of executing is identified as a separate attribute of the virus. For file viruses this is DOS, Windows, Linux, MacOS, OS/2. For macro viruses - Word, Excel, PowerPoint, Office. Sometimes a virus requires a specific version of the OS or application to work correctly, then the attribute is specified more narrowly: Win9x, Excel97.

At the stage of searching for objects to infect, there are two ways in which viruses behave.

1. Having received control, the virus performs a one-time search for victims, after which it transfers control to the object associated with it (the infected object).

Example. Usually, when mastering a new platform, viruses of this type appear first. This is what happened when viruses appeared. DOS, under Windows 9x, under Windows NT, under Linux.

For example, such a virus is Virus.Multi.Pelf.2132– one of the few representatives of multi-platform viruses. This virus can infect both P.E.-files and files in the format ELF(executable file format under Linux). When launched, the virus produces in the current (under both operating systems) and higher directories (under Windows) files of infectable formats ( P.E. And ELF), determining the actual file format by its structure. After infecting the found files, the virus exits and returns control to the running file.

2. Having received control, the virus somehow remains in memory and searches for victims continuously until the environment in which it runs is shut down.

Example. Virus.DOS.Anarchy.6093 is also multi-platform in the sense that it is capable of infecting DOS COM- And EXE-files and documents Microsoft Word 6/7. In this case, the virus can be activated upon startup, both in the environment DOS, and in the environment Windows 95. After launching, the virus intercepts the INT 21h interrupt, and in the environment Windows additionally makes changes to the driver VMM32.VXD (Virtual Memory Manager) for the purpose of intercepting file requests. On startup or opening COM-, EXE And DOC-file the virus infects it. In addition, in the file version the virus is polymorphic (see below), and in any version it has stealth-functionality (see below).

Viruses of the second type in the times of single-tasking DOS were usually called resident. With the transition to Windows the problem of remaining in memory has ceased to be relevant: almost all viruses executed in the environment Windows, as well as in the application environment MS Office, are viruses of the second type. In contrast, script viruses are type 1 viruses. Accordingly, the resident attribute is applicable only to file files DOS viruses. The existence of non-resident Windows viruses are possible, but in practice they are a rare exception.

Separately, it makes sense to consider the so-called stealth-viruses are viruses that, being constantly in memory, intercept calls to an infected file and remove the virus code from it on the fly, transmitting an unchanged version of the file in response to the request. Thus, these viruses mask their presence in the system. To detect them, antivirus tools require the ability to directly access the disk, bypassing the operating system. Greatest distribution stealth-we got viruses during DOS.

Virus signature– in a broad sense, information that allows you to unambiguously determine the presence of a given virus in a file or other code. Examples of signatures are: a unique sequence of bytes present in a given virus and not found in other programs; checksum of such a sequence.

The process of preparing copies for distribution may differ significantly from simply copying. The authors of the most technologically complex viruses try to make different copies as dissimilar as possible to complicate their detection by antivirus tools. As a result, creating a signature for such a virus is extremely difficult or even impossible.

When creating copies for camouflage, the following technologies can be used:

- encryption– the virus consists of two functional parts: the virus itself and the encoder. Each copy of the virus consists of an encryptor, a random key, and the virus itself, encrypted with this key;

- metamorphism– creating different copies of the virus by replacing blocks of commands with equivalent ones, swapping pieces of code, inserting “junk” commands between significant pieces of code that do practically nothing.

The combination of these two technologies results in the following types of viruses.

- encrypted virus– a virus that uses simple encryption with a random key and an immutable encryptor. Such viruses are easily detected by the encryption signature;

- metamorphic virus– a virus that applies metamorphism to its entire body to create new copies;

- polymorphic virus– a virus that uses a metamorphic encryptor to encrypt the main body of the virus with a random key. In this case, part of the information used to obtain new copies of the encryptor can also be encrypted. For example, a virus can implement several encryption algorithms and, when creating a new copy, change not only the encoder commands, but also the algorithm itself.

Polymorphic viruses can be divided into classes according to the level of polymorphism.

The popularity of polymorphic viruses peaked during the times DOS However, polymorphism was later used in many viruses, and polymorphism continues to be used today.

Examples. Mentioned above Email-Worm.Win32.Bagle.p is a polymorphic virus.

One of the most complex and relatively late polymorphic viruses is Virus.Win32.Etap. When a file is infected, the virus rebuilds and encrypts its own code, writes it to one of the sections of the infected file, and then looks for a function call in the file code ExitProcess and replaces it with a call to the virus code. Thus, the virus gains control not before executing the source code of the infected file, but after it.

The introduction of viral copies can be carried out by two fundamentally different methods:

Injection of virus code directly into the infected object;

Replacing an object with a virus copy. The object being replaced is usually renamed.

For viruses, the first method is predominantly characteristic. The second method is much more often used by worms and Trojans, or more precisely by Trojan components of worms, since Trojans themselves do not spread.

Example. One of the few mail worms that spread through the mail book The Bat! – Email-Worm.Win32.Stator.a, among other things, infects some files Windows according to the principle of a companion virus. In particular, infected files include: mplayer.exe, winhlp32.exe, notepad.exe, control.exe, scanregw.exe. When infected, the files are renamed to the extension. VXD, and the virus creates copies of itself under the original names of the infected files. After gaining control, the virus launches the corresponding renamed original file.

As a variant of the second method during times DOS The following technique was used. When typing the name of the executable file without specifying the extension, DOS searches in order first BAT, then COM and in the end EXE-file. Accordingly, the virus copy was created in the same directory with EXE-file, duplicating its name and taking the extension COM. Thus, when trying to run this EXE-file without explicitly specifying the extension, the virus was launched first.

A similar technique can be used in Windows-systems, but since the majority of users Windows rarely uses running files from the command line, the effectiveness of this method will be low.

5.1.2. Worms

Unfortunately, there is no definition of a worm in government standards and regulatory documents, so here we provide only an intuitive definition that gives an idea of ​​the operating principles and functions of this type of malware.

Worm (network worm)– a type of malicious programs that spread through network channels, capable of autonomously overcoming the protection systems of automated and computer networks, as well as creating and further distributing copies of themselves, which do not always coincide with the original, and carrying out other harmful effects.

Just like viruses, the life cycle of worms can be divided into certain stages:

1) penetration into the system;

2) activation;

3) search for “victims”;

4) preparation of copies;

5) distribution of copies.

Stages 1 and 5 are generally symmetrical and are characterized primarily by the protocols and applications used.

Stage 4 - Preparation of copies - is practically no different from a similar stage in the process of virus reproduction. What has been said about preparing copies of viruses also applies without changes to worms.

At the stage of penetration into a system, worms are divided mainly according to the types of protocols used:

- network worms– worms that use Internet and local network protocols to spread. Typically, this type of worm spreads by exploiting some applications' mishandling of underlying protocol stack packages. tcp/ip;

- mail worms– worms that spread in the format of email messages;

- IRC worms– worms spreading through channels IRC (Internet Relay Chat);

- P2P worms– worms that spread using peer-to-peer networks ( peer-to-peer) file sharing networks;

- IM worms– worms that use instant messaging systems to spread ( I.M., Instant MessengerICQ, MSN Messenger, AIM and etc.).

Examples. Classic network worms are members of the family Net-Worm.Win32.Sasser. These worms exploit a vulnerability in the service LSASS Microsoft Windows. When reproducing, the worm launches FTP-service for TCP-port 5554, after which selects IP-address to attack and sends a request to port 445 to this address, checking if the service is running LSASS. If the attacked computer responds to the request, the worm sends an exploit for a vulnerability in the service to the same port. LSASS, as a result of successful execution of which a command shell is launched on the remote computer TCP-port 9996. Through this shell the worm remotely downloads a copy of the worm using the protocol FTP from a previously launched server and launches itself remotely, completing the penetration and activation process.

As an example of a mail worm, consider Email-Worm.Win32.Zafi.d. The infected message includes a subject and text selected from a list, the content of which is a holiday greeting (mostly Merry Christmas) and an invitation to read the greeting card in the attachment. Congratulations can be in different languages. The name of the worm file contained in the attachment consists of the word postcard in the language corresponding to the greeting, and an arbitrary set of characters. The worm file extension is randomly selected from a list. BAT, .COM, .EXE, .PIF, .ZIP. To send messages, the worm uses email addresses found on the infected computer. To gain control, the worm must be launched by a user.

IRC-Worm.Win32.Golember.a is, as the name suggests, IRC- a worm. When run it saves itself in a directory Windows under the name trlmsn.exe and adds it to the autorun section of the registry Windows parameter with the line to launch this file. In addition, the worm saves a copy of itself to disk in the form of an archive Janey2002.zip and image file Janey.jpg. The worm then connects to random IRC-channels under different names and begins to send certain text strings, simulating the activity of a regular user. At the same time, an archived copy of the worm is sent to all users of these channels.

Distribution functionality via P2P Many network and email worms have channels. For example, Email-Worm.Win32.Netsky.q for reproduction via file-sharing networks, searches on the local disk for directories containing the names of the most popular networks or the word “ shared”, after which he puts his copies under various names in these directories.

I.M.-Worms rarely transfer infected files directly between clients. Instead, they send links to infected web pages. Yes, worm IM-Worm.Win32.Kelvir.k sends via MSN Messenger messages containing the text " its you" and link " http://www. malignancy.us//pictures.php?email=", at the address specified in which the worm file is located.

Today, the most numerous group consists of email worms. Network worms are also a noticeable phenomenon, but not so much because of quantity as because of quality: epidemics caused by network worms are often characterized by high speed of spread and large scale. IRC-, P2P- And I.M.-worms are quite rare, more often IRC, P2P And I.M. serve as alternative distribution channels for email and network worms.

At the activation stage, worms are divided into two large groups, differing both in technology and in lifespan:

1. Active user participation is required for activation.

2. To activate, user participation is not required at all or only passive participation is sufficient.

Passive user participation in the second group means, for example, viewing letters in an email client, in which the user does not open attached files, but his computer nevertheless becomes infected.

The difference in these approaches is deeper than it might seem at first glance. Activation of a network worm without user interaction always means that the worm is exploiting security holes in the computer's software. This leads to a very rapid spread of the worm within a corporate network with a large number of stations, significantly increases the load on communication channels and can completely paralyze the network. It was this activation method that the worms used Lovesan And Sasser. As a result of an epidemic caused by such a network worm, the exploited gap is closed by administrators or users, and as the number of computers with the open gap decreases, the epidemic ends. To repeat the epidemic, virus developers have to exploit another gap. As a result, epidemics caused by active worms have a more significant impact on the operation of the network as a whole, but they occur much less frequently than epidemics of passive network worms. A mandatory measure of protection against such epidemics is the timely installation of security patches. We also note that operating systems with built-in capabilities for remote control or launching programs are especially vulnerable to this type of worm - this is a family Microsoft Windows NT/2000/XP/2003.

Example. Service vulnerability LSASS, first used in worm MyDoom at the beginning of 2004, continued to be successfully used a year and a half later. So, Net-Worm.Win32.Mytob.be, discovered in June 2005, still used this vulnerability as a distribution method in addition to distribution via email.

On the other hand, the active participation of the user in activating the worm means that the user was misled by social engineering methods. In most cases, the main factor is the form in which the infected message is presented: it can imitate a letter from a friend (including an email address if the friend is already infected), a service message from the postal system, or something similar that is equally common in the flow of regular correspondence. The user, in the turmoil, simply does not distinguish between a normal letter and an infected one and launches it automatically.

It is impossible to protect yourself from these types of worms with patches. Even adding a network worm signature to a virus database does not completely solve the problem. Virus developers simply need to change the executable file so that the antivirus does not detect it, and slightly change the text of the message, including using spam technologies used to bypass filters.

As a result, epidemics caused by passive network worms can last much longer and give rise to entire families of the same type of network worms.

Recently, there has been a tendency to combine both methods of propagation in worms. Many members of the family Mytob have distribution functions via email and through a vulnerability in the service LSASS.

The method of searching for a victim computer is entirely based on the protocols and applications used. In particular, if we are talking about an email worm, computer files are scanned for the presence of email addresses, to which, as a result, copies of the worm are sent.

In the same way, Internet worms scan the range IP-addresses in search of vulnerable computers, and P2P worms place copies of themselves in public directories of peer-to-peer network clients. Some worms are capable of exploiting the contact lists of Internet messengers, such as ICQ, AIM, MSN Messenger, Yahoo! Messenger and etc.

What was said earlier about preparing copies for spreading viruses also applies to worms.

The most common among worms are simplified implementations of metamorphism. Some worms are capable of sending copies of themselves in letters either with or without injection of a script, which leads to automatic activation of the worm. This behavior of the worm is due to two factors: the automatic activation script increases the likelihood of the worm running on the user's computer, but at the same time reduces the likelihood of slipping through anti-virus filters on mail servers.

Likewise, worms can change the subject and text of the infected message, name, extension, and even the format of the attached file - the executable module can be attached as is or in a zipped form. All this cannot be considered meta- or polymorphism, but worms certainly have a certain amount of variability.

5.1.3. Trojans

Let us give an intuitive definition of a Trojan program, or Trojan.

Trojan (Trojan horse)– a type of malware whose main purpose is to cause harmful effects on a computer system. Trojans are distinguished by the absence of a mechanism for creating their own copies. Some Trojans are capable of autonomously overcoming computer protection systems in order to penetrate and infect the system. In general, a Trojan enters a system along with a virus or worm as a result of careless user actions or active actions of an attacker.

Due to the lack of reproduction and distribution functions in Trojans, their life cycle is extremely short - only three stages:

Computer penetration;

Activation;

Execution of assigned functions.

This, of course, does not mean that Trojans have a short lifespan. On the contrary, a Trojan can remain unnoticed in the computer’s memory for a long time, without revealing its presence in any way, until it is detected by anti-virus tools.

Trojans usually solve the problem of penetrating a user’s computer using one of the following two methods.

1. Disguise– a Trojan pretends to be a useful application that the user independently downloads from the Internet and launches. Sometimes the user is excluded from this process by posting on web- a page of a special script that, using holes in the browser, automatically initiates the download and launch of the Trojan.

Example. Trojan.SymbOS.Hobble.a is an archive for the operating system Symbian (SIS-archive). At the same time, it disguises itself as an antivirus Symantec and has a name symantec.sis. After launching on a smartphone, the Trojan replaces the original shell file FExplorer.app to the damaged one. As a result, the next time you boot the operating system, most of the smartphone’s functions are no longer available.

One of the disguise options could also be for an attacker to insert Trojan code into the code of another application. In this case, it is even more difficult to recognize the Trojan, since the infected application can openly perform some useful actions, but at the same time secretly cause damage due to the Trojan functions.

The method of introducing Trojans onto users’ computers through websites is also common. In this case, either a malicious script is used that downloads and runs a Trojan program on the user’s computer, using a vulnerability in the web browser, or social engineering methods - the content and design of the website provokes the user to download the Trojan on his own. With this injection method, not one copy of the Trojan can be used, but a polymorphic generator that creates a new copy every time it is loaded. The polymorphism technologies used in such generators usually do not differ from viral polymorphic technologies.

2. Cooperation with viruses and worms– a Trojan travels along with worms or, less commonly, viruses. In principle, such “worm-Trojan” pairs can be considered entirely as a composite worm, but in established practice it is customary to consider the Trojan component of a worm, if it is implemented in a separate file, to be considered an independent Trojan with its own name. In addition, the Trojan component may reach the computer later than the worm file.

Example. Using backdoor-functionality of the worm family Bagle, the author of the worm carried out a hidden installation of the Trojan SpamTool.Win32. Small.b, which was collected and sent to a specific email address found in files on the infected computer.

Cooperation between worms and viruses is often observed, when the worm transports the virus between computers, and the virus spreads throughout the computer, infecting files.

Example. Famous worm in the past Email-Worm.Win32.Klez.h when the computer was infected, the virus also launched on it Virus.Win32.Elkern.c. It’s hard to say why this was done, since the virus itself, apart from infection and malicious manifestations associated with errors in the code (there are no obvious malicious procedures in it), does not perform any actions, i.e. is not a "strengthening" of the worm in any sense.

The techniques here are the same as those used by worms: waiting for the user to launch a file or using vulnerabilities to launch it automatically.

Unlike viruses and worms, which are divided into types according to their methods of reproduction/distribution, Trojans are divided into types according to the nature of the malicious actions they perform. The most common types of Trojans are:

- Keyloggers– Trojans that reside permanently in memory and store all data coming from the keyboard for the purpose of subsequently transmitting this data to an attacker. Typically, this is how an attacker tries to find out passwords or other confidential information.

Example. In the past, just a couple of years ago, there were still keyloggers that recorded all keystrokes and recorded them in a separate file. Trojan-Spy.Win32.Small.b, for example, in an endless loop, read the codes of the keys pressed and saved them in a file C:\SYS.

Modern spyware is optimized for collecting information transmitted by the user on the Internet, since this data may include logins and passwords for bank accounts, PIN-credit card codes and other confidential information related to the user’s financial activities. Trojan-Spy.Win32.Agent.fa tracks open windows Internet Explorer and saves information from sites visited by the user, keyboard input into a specially created file servms.dll in the system directory Windows.

- Password thieves– Trojans, also designed to obtain passwords, but do not use keyboard tracking. Such Trojans implement methods for extracting passwords from files in which these passwords are stored by various applications.

Example. Trojan-PSW.Win32.LdPinch.kw collects information about the system, as well as logins and passwords for various services and application programs - instant messengers, email clients, dialers. Often this data is poorly protected, which allows the Trojan to obtain it and send it to the attacker by email.

- Remote management utilities– Trojans that provide complete remote control over the user’s computer. There are legal utilities with the same properties, but they differ in that they indicate their purpose during installation or are provided with documentation that describes their functions. Trojan remote control utilities, on the contrary, do not reveal their real purpose in any way, so the user does not even suspect that his computer is under the control of an attacker. The most popular remote control utility is Back Orifice.

Example. Backdoor.Win32.Netbus.170 provides full control over the user's computer, including performing any file operations, downloading and launching other programs, taking screenshots, etc.

- Hatches (backdoor)– Trojans that provide the attacker with limited control over the user’s computer. They differ from remote control utilities in their simpler design and, as a result, in a small number of available actions. However, one of the usual actions is the ability to download and run any files at the attacker's command, which allows you to turn limited control into full control if necessary.

Example. Last time backdoor-functionality has become a characteristic feature of worms. For example, Email-Worm.Win32.Bagle.at uses port 81 to receive remote commands or download Trojans that extend the functionality of the worm.

There are also separate Trojans like backdoor. Trojan Backdoor.win32. Wootbot.gen uses IRC-channel for receiving commands from the “master”. Upon command, the Trojan can download and launch other programs, scan other computers for vulnerabilities, and install itself on computers through detected vulnerabilities.

- Anonymous smtp servers and proxies– Trojans that perform the functions of mail servers or proxies and are used in the first case for spam mailings, and in the second for covering up their tracks by hackers.

Example. Trojans from the family Trojan-Proxy.Win32.Mitglieder spread with different versions of worms Bagle. The Trojan is launched by a worm, opens a port on the computer and sends information about IP-address of the infected computer. After this, the computer can be used to send spam.

- dialing utilities– a relatively new type of Trojans, which are utilities dial-up Internet access through expensive postal services. Such Trojans are registered in the system as default dialing utilities and entail huge bills for using the Internet.

Example. Trojan.Win32.Dialer.a When launched, it dials to the Internet through paid postal services. Does not perform any other actions, including creating keys in the registry, i.e. It doesn't even register as a standard dialer or provide autostart.

- Browser settings modifiers– Trojans that change the browser start page, search page or other settings, open additional browser windows, imitate clicks on banners, etc.

Example. Trojan-Clicker.JS.Pretty usually found in html-pages. It opens additional windows with specific web pages and refreshes them at a specified interval.

- Logic bombs– often not so much Trojans as Trojan components of worms and viruses, the essence of which is to perform a certain action, for example, destruction of data, under certain conditions (date, time of day, user actions, external command).

Example. Virus.Win9x.CIH, Macro.Word97.Thus.

Worms and viruses can perform all the same actions as Trojans (see previous paragraph). At the implementation level, these can be either individual Trojan components or built-in functions. In addition, due to their widespread nature, viruses and worms are also characterized by other forms of malicious actions:

- Overload of communication channels– a type of damage characteristic of worms, associated with the fact that during large-scale epidemics, huge numbers of requests, infected letters or direct copies of the worm are transmitted over Internet channels. In some cases, using Internet services during an epidemic becomes difficult. Example: Net-Worm.Win32.Slammer.

- DDoS attacks– due to their widespread nature, worms can be effectively used to implement distributed denial of service attacks ( DDoS attacks). At the height of an epidemic, when millions and even tens of millions of computers are infected, all infected systems accessing a specific Internet resource leads to a complete blocking of this resource. So, during a worm attack MyDoom The site of the company SCO was unavailable for a month. Examples: Net-Worm.Win32.CodeRed.a- not a very successful attack on www.whitehouse.gov, Email-Worm.Win32.Mydoom.a- successful attack on www.sco.com.

- Data loss– behavior more typical of viruses than of Trojans and worms, associated with the intentional destruction of certain data on the user’s computer. Examples: Virus.Win9x.CIH– deleting starting sectors of disks and contents Flash BIOS; Macro.Word97.Thus– deleting all files on the disk C:; Email-Worm.Win32.Mydoom.e– deleting files with certain extensions depending on the random number counter.

- Software malfunction– also a trait more characteristic of viruses. Due to errors in the virus code, infected applications may work with errors or not work at all. Example: Net-Worm.Win32.Sasser.a– reboot the infected computer.

– intensive use of computer resources by malware leads to a decrease in the performance of both the system as a whole and individual applications. Example: to varying degrees - any malicious programs.

The presence of destructive actions is not at all a mandatory criterion for classifying program code as viral. It should also be noted that the virus can cause colossal damage by the process of self-replication alone. The most striking example is Net-Worm.Win32.Slammer.

5.1.4. Information security threats

Let's consider threats to information security from the point of view of viruses. Considering the fact that the total number of viruses as of today exceeds 100,000, analyzing the threats from each of them is too time-consuming and useless a task, since the number of viruses increases daily, which means that the resulting list must be modified daily. In this work, we will assume that the virus is capable of implementing any of the threats to information security.

There are many ways to classify security threats to information that is processed in an automated system. The most commonly used classification of threats is based on their impact on information, namely, violation of confidentiality, integrity and availability.

For each threat, there are several ways in which viruses can implement it.

Confidentiality threat:

Theft of information and its distribution using standard means of communication or hidden transmission channels: Email-Worm.Win32.Sircam– sent arbitrary documents found on an infected computer along with virus copies;

Theft of access passwords, encryption keys, etc.: any Trojans that steal passwords, Trojan-PSW.Win32.LdPinch.gen;

Remote control: Backdoor.Win32.NetBus, Email-Worm.Win32. Bagle (backdoor-functionality).

Integrity threat:

Modification through destruction or encryption (deletion of certain types of documents): Virus.DOS.OneHalf– encryption of disk contents, Virus.Win32.Gpcode.f– encrypts files with certain extensions, after which it self-destructs, leaving next to the encrypted files coordinates for communication regarding file decryption;

Modification by low-level destruction of the media (formatting the media, destroying file distribution tables): Virus.MSWord.Melissa.w– December 25 formats the disk C:.

Availability threat:

Any activity that results in the inability to access information; various sound and visual effects: Email-Worm.Win32.Bagle.p– blocking access to websites of antivirus companies;

Disabling a computer by destroying or damaging critical components (destruction Flash BIOS): Virus.Win9x.CIH- damage Flash BIOS.

As it was easy to see, for each of the above methods of implementing threats, you can give a specific example of a virus that implements one or several methods at the same time.

Malicious programs differ in their conditions of existence, the technologies used at various stages of the life cycle, and the actual harmful effects - all these factors are the basis for classification. As a result, based on the main (from a historical point of view) characteristic - reproduction - malware is divided into three types: viruses, worms and Trojans.

Regardless of the type, malware is capable of causing significant damage, implementing any threats to information - threats to violate integrity, confidentiality, and availability. In this regard, when designing complex anti-virus protection systems and even more generally, complex information protection systems, it is necessary to gradate and classify network objects according to the importance of the information processed on them and the likelihood of infecting these nodes with viruses.

General characteristics of computer virus neutralization tools

The most common means of neutralizing computer viruses are antivirus programs (antiviruses). Antiviruses, based on the approach to identifying and neutralizing viruses implemented in them, are usually divided into the following groups (Fig. 8.2):

Detectors;

Vaccines;

Vaccinations;

Auditors;

Monitors.


Detectors Antiviruses Monitors
Phages Auditors
Vaccines Vaccinations

Rice. 8.2 Classification of antiviruses

Detectors provide virus detection by viewing executable files and searching for so-called signatures - stable sequences of bytes found in the bodies of known viruses. The presence of a signature in a file indicates that it is infected with the corresponding virus. An antivirus that provides the ability to search for various signatures is called polydetector.

Phages perform functions typical of detectors, but, in addition, “cure” infected programs by “biting” viruses out of their bodies. By analogy with polydetectors, phages focused on neutralizing various viruses are called polyphages.

Unlike detectors and phages vaccines in their principle of action they are similar to viruses. The vaccine is implanted into the protected program and remembers a number of quantitative and structural characteristics of the latter. If the vaccinated program was not infected at the time of vaccination, then the following will happen at the first launch after infection. Activation of the virus carrier will lead to control of the virus, which, having fulfilled its target functions, will transfer control to the vaccinated program. In the latter, in turn, the vaccine will first receive control, which will check the conformity of the characteristics it has memorized with the similar characteristics obtained at the current moment. If the specified sets of characteristics do not match, then a conclusion is made that the text of the vaccinated program has been modified by the virus. The characteristics used by vaccines may be the length of the program, its checksum, etc.

Operating principle vaccinations is based on taking into account the fact that any virus, as a rule, marks the infected programs with some attribute in order to prevent them from being re-infected. Otherwise, multiple infections would occur, accompanied by a significant and therefore easily detectable increase in the volume of infected programs. The vaccination, without making any other changes to the text of the protected program, marks it with the same sign as the virus, which thus, after activating and checking the presence of the specified sign, considers it infected and “leave it alone.”

Auditors provide monitoring of the state of the file system, using an approach similar to that implemented in vaccines. During its operation, the audit program performs, for each executable file, a comparison erg of the current characteristics with similar characteristics obtained during the previous file review. If it is discovered that, according to the available system information, the file has not been updated by the user since the previous viewing, and the compared sets of characteristics do not match, then the file is considered infected. The characteristics of executable files obtained during the next review are stored in a separate file (files), and therefore the increase in the length of executable files that occurs during vaccination does not occur in this case. Another difference between auditors and vaccines is that each inspection of executable files by the auditor requires it to be restarted.

    We will talk about the simplest ways to neutralize viruses, in particular, those that block the Windows 7 user’s desktop (Trojan.Winlock virus family). Such viruses are distinguished by the fact that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it extremely difficult to perform any actions other than entering a special “unlock code”, to obtain which, allegedly, you need to transfer a certain amount to the attackers by sending an SMS or replenishing a mobile phone account through a payment terminal. The goal here is one - to force the user to pay, and sometimes quite decent money. A window appears on the screen with a threatening warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the Windows work environment - it blocks pressing special key combinations to call up the Start button menu, the Run command, the task manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows in safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, anti-virus scanner). But, nevertheless, in the vast majority of cases there is a way out.

    New technologies implemented in Windows Vista / Windows 7 have made it much more difficult for malware to penetrate and take full control of the system, and also provided users with additional opportunities to get rid of them relatively easily, even without anti-virus software (software). We are talking about the ability to boot the system in safe mode with command line support and launch monitoring and recovery software from it. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of operating systems of the Windows family, many users simply do not use it. But in vain. The Windows 7 command line does not have the usual desktop (which may be blocked by a virus), but it is possible to launch most programs - the registry editor, task manager, system recovery utility, etc.

Removing a virus by rolling back the system to a restore point

    A virus is an ordinary program, and even if it is located on the computer’s hard drive, but does not have the ability to automatically start when the system boots and user registration, then it is as harmless as, for example, a regular text file. If you solve the problem of blocking the automatic launch of a malicious program, then the task of getting rid of malware can be considered completed. The main method of automatic startup used by viruses is through specially created registry entries created when they are introduced into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore using checkpoint data. A checkpoint is a copy of important system files, stored in a special directory ("System Volume Information") and containing, among other things, copies of Windows system registry files. Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to obtain the state of the system registry without the entries made by the invading virus and thereby exclude its automatic start, i.e. get rid of infection even without using antivirus software. In this way, you can simply and quickly get rid of the majority of viruses infecting your system, including those that block the Windows desktop. Naturally, a blocking virus that uses, for example, modification of boot sectors of a hard drive (MBRLock virus) cannot be removed in this way, since rolling back the system to a restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support because the virus is loaded before the Windows bootloader. To get rid of such an infection, you will have to boot from another medium and restore infected boot records. But there are relatively few such viruses and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of the download, press the button F8. The Windows boot loader menu will be displayed on the screen, with possible options for booting the system

2. Select the Windows boot option - "Safe Mode with Command Line Support"

After the download is complete and the user has registered, the command processor window will be displayed instead of the usual Windows desktop cmd.exe

3. Run the System Restore tool by typing rstrui.exe and press ENTER.

Switch the mode to "Select another recovery point" and in the next window check the box "Show other recovery points"

After selecting a Windows restore point, you can view a list of affected programs during a system rollback:

The affected programs list is a list of programs that were installed after the system restore point was created and that may require reinstallation because their associated registry entries will be missing.

After clicking the "Finish" button, the system recovery process will begin. Upon completion, Windows will restart.

After the reboot, a message will be displayed indicating the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use a more advanced method presented below.

Removing a virus without rolling back the system to a restore point

    It is possible that the system does not have recovery point data for various reasons, the recovery procedure ended with an error, or the rollback did not give a positive result. In this case, you can use the System Configuration diagnostic utility MSCONFIG.EXE. As in the previous case, you need to boot Windows in safe mode with command line support and in a command line interpreter window cmd.exe dial msconfig.exe and press ENTER

On the General tab, you can select the following Windows startup modes:

Normal launch- normal system boot.
Diagnostic run- when the system boots, only the minimum required system services and user programs will be launched.
Selective launch- allows you to manually specify a list of system services and user programs that will be launched during the boot process.

To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of programs that automatically start. If in this mode the virus stops blocking the desktop, then you need to move on to the next step - determine which program is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch of individual programs manually.

The "Services" tab allows you to enable or disable the launch of system services whose startup type is set to "Automatic". An unchecked box in front of the service name means that it will not be launched during system boot. At the bottom of the MSCONFIG utility window there is a field for setting the "Do not display Microsoft services" mode, which, when enabled, will display only third-party services.

I note that the likelihood of a system being infected by a virus that is installed as a system service, with standard security settings in Windows Vista / Windows 7, is very low, and you will have to look for traces of the virus in the list of automatically launched user programs (the "Startup" tab).

Just like in the Services tab, you can enable or disable the automatic launch of any program that is present in the list displayed by MSCONFIG. If a virus is activated in the system by automatic launch using special registry keys or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic startup of services and applications that start in the standard way for operating systems of the Windows family. However, virus authors often use techniques that allow them to launch malicious programs without using standard autorun points. You can most likely get rid of such a virus using the method described above by rolling back the system to a restore point. If a rollback is not possible and using msconfig did not lead to a positive result, you can use direct editing of the registry.

    In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system starts normally, but does not reach user registration. The computer hangs due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, in the same way as in previous cases, you can boot into safe mode with command line support and run the check system disk command

chkdsk C:/F- check drive C: and correct detected errors (key /F)

Since the system disk is occupied by system services and applications when chkdsk runs, chkdsk cannot gain exclusive access to it to perform testing. Therefore, the user will be presented with a warning message and asked to perform testing the next time the system is rebooted. After answer Y Information will be entered into the registry to ensure that the disk check starts when Windows restarts. After the check is completed, this information is deleted and Windows restarts normally without user intervention.

Eliminating the possibility of a virus running using the Registry Editor.

    To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, in the command line interpreter window type regedit.exe and press ENTER    Windows 7, with standard system security settings, is protected from many methods of launching malware that were used for previous versions of Microsoft operating systems. Viruses installing their own drivers and services, reconfiguring the WINLOGON service with connecting their own executable modules, correcting registry keys that are relevant to all users, etc. - all these methods either do not work in Windows 7 or require such serious labor costs that they are practically impossible to meet. Typically, changes to the registry that enable a virus to run are made only in the context of the permissions that exist for the current user, i.e. In chapter HKEY_CURRENT_USER

In order to demonstrate the simplest mechanism for blocking a desktop using a substitution of the user shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you yourself correct the registry data in order to get, for example, a command line instead of a desktop . The familiar desktop is created by Windows Explorer (the program Explorer.exe) run as a user shell. This is ensured by the parameter values Shell in registry keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- for all users.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- for the current user.

Parameter Shell is a string containing the name of the program that will be used as a shell when the user logs in. Typically, in the section for the current user (HKEY_CURRENT_USER or abbreviated as HKCU), the Shell parameter is missing and the value from the registry key for all users is used (HKEY_LOCAL_MACHINE\ or abbreviated as HKLM)

This is what the registry key looks like HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with a standard Windows 7 installation

If you add the Shell string parameter taking the value “cmd.exe” to this section, then the next time the current user logs into the system, instead of the standard Explorer-based user shell, the cmd.exe shell will be launched and instead of the usual Windows desktop, the command line window will be displayed .

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, blocker, and other nasty things instead of a desktop.
Making changes to the key for all users (HKLM...) requires administrative privileges, so virus programs usually modify the settings of the current user's registry key (HKCU...)

If, in continuation of the experiment, we run the utility msconfig, then you can make sure that in the lists of automatically launched programs cmd.exe is not available as a user shell. A system rollback, of course, will allow you to return the registry to its original state and get rid of the automatic start of the virus, but if for some reason this is impossible, the only option left is to directly edit the registry. To return to the standard desktop, simply remove the option Shell, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log back in) or reboot. You can edit the registry by running Registry Editor from the command line regedit.exe or use the console utility REG.EXE. Example command line to remove the Shell parameter:

REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

The given example of substituting the user's shell is today one of the most common techniques used by viruses in the Windows 7 operating system environment. A fairly high level of security under standard system settings prevents malware from gaining access to registry keys that were used to infect Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (section HKCU...). The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use launching executable files (.exe) from the current user's temporary files directory (Temp). When analyzing the automatic launch points of programs in the registry, first of all you need to pay attention to the programs located in the temporary files directory. Usually this is a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

set temp
or
echo %temp%

In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as an additional tool for detecting viruses. Legitimate programs never automatically launch from the TEMP directory.

To obtain a complete list of possible automatic start points, it is convenient to use a special program Autoruns from the SysinternalsSuite package.

The simplest ways to remove blockers of the MBRLock family

Malicious programs can gain control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which the boot is performed. The virus replaces the boot sector data of the active partition with its program code so that instead of Windows, a simple program is loaded, which displays a ransomware message on the screen demanding money for the crooks. Since the virus gains control before the system boots, there is only one way to bypass it - boot from another medium (CD/DVD, external drive, etc.) in any operating system where it is possible to restore the program code of boot sectors. The easiest way is to use Live CD / Live USB, usually provided to users free of charge by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to recovering boot sectors, these products can also perform and checking the file system for malware and removing or disinfecting infected files. If it is not possible to use this method, then you can get by by simply downloading any version of Windows PE (installation disk, ERD Commander emergency recovery disk), which allows you to restore normal system booting. Usually just being able to access the command line and run the command is enough:

bootsect /nt60 /mbr system drive letter:

bootsect /nt60 /mbr E:>- restore the boot sectors of drive E: This should contain the letter of the drive that is used as the boot device for the system damaged by the virus.

Or for Windows prior to Windows Vista

bootsect /nt52 /mbr system drive letter:

Utility bootsect.exe can be located not only in system directories, but also on any removable media, can be executed in any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system. The /mbr key, as a rule, is not needed, since it restores the program code of the MBR master boot record, which viruses do not modify (perhaps they do not modify it yet).

Encryption viruses and new problems of saving user data.

In addition to blocking the computer, ransomware viruses use encryption of user files, the loss of which can have serious consequences, and for the recovery of which the victim is willing to pay. Such encryption viruses, as a rule, use serious data encryption technologies that make it impossible to recover information without encryption keys, which attackers offer to buy for fairly large sums. True, there are no guarantees. And here the victim has several options - forget about his data forever, pay extortionists without a guarantee of recovery, or turn to professionals involved in recovery. You can recover data yourself if you have enough knowledge and skills, or the loss of data is not so significant if it fails. Complete restoration of everything will not work, but with some luck, a significant part of the information can be returned. Some examples:

Recovering data from shadow copies of volumes - about shadow copies and the ability to recover files from shadow copies of volumes.

Recuva - Use the free Recuva program from Piriform to recover deleted files and files from shadow copies of volumes.

With the advent of a new generation of ransomware viruses, the problem of the safety of user data has become much more acute. Viruses not only encrypt documents, archives, photos, videos and other files, but also do everything possible to prevent at least partial recovery of data by the user affected by the infection. For example, ransomware viruses attempt to delete shadow copies of volumes using the command vssadmin, which, when User Account Control (UAC) is disabled, happens unnoticed and is guaranteed to make it impossible to restore previous copies of files or use software that allows you to extract data from shadow copies (Recuva, standard Windows tools, etc.). Taking into account the use of strong encryption algorithms, recovery of encrypted data, even partial, becomes a very difficult task, feasible only for professionals in this field. Today, there is perhaps the only way to protect yourself from complete data loss - to use automatic backups with storing copies in a place inaccessible to viruses or to use “time machine” software that allows you to create instant copies of the file system (snapshots) and perform a rollback on their contents at any time. Such software does not use a standard file system, and has its own bootloader and controls that work independently, without the need to boot Windows, which prevents malware from completely taking control of the file system recovery tools. In addition, this software has virtually no effect on the performance of Windows. An example of such software would be some commercial products from Horizon DataSys and free Comodo Time Machine And Rollback RX Home

Comodo Time Machine - a separate article about Comodo Time Machine and links to download the free version.

Rollback Rx Home - separate article about Rollback Rx Home Edition by Horizon DataSys and links to download the free version.


Owners of patent RU 2527738:

The invention relates to the field of anti-virus protection. The technical result is to provide the ability to unlock a computer without losing data or rebooting the computer, increasing the efficiency of anti-virus systems and, accordingly, increasing the security of computer systems. The method of neutralizing malware that blocks the operation of a computer involves the use of a separate antivirus activation device, designed for the user to activate the anti-malware procedure and containing connectors for connecting to the control bus, a controller, and an activation unit. The computer unlocking and disinfection procedure is launched in response to the received activation signal from the antivirus activation device. Moreover, the mentioned unlocking and treatment procedure includes: examining the state of the OS graphics subsystem, searching for all created windows and desktops visible to the user; analysis of all processes and threads running on the computer at the time of infection; building, based on the collected data, binding each mentioned window and desktop to a specific process and/or hierarchy of processes; analysis of the received data on processes and identification of loaded modules in each of them that are involved in the execution of the process; search for programs automatically executed during OS startup; generating a list of objects recognized as malicious; and isolating the malicious object, removing references to it from the OS configuration files, and deleting the malicious process generated by the object. 5 salary f-ly, 3 ill.

Field of technology

The invention relates to the field of anti-virus protection, and more specifically, to a method for neutralizing certain types of malicious software (software).

State of the art

Currently existing malware protection systems allow you to detect it in two ways:

Based on characteristic data previously obtained from the contents of malicious files (signatures, patterns, checksums, etc.);

Based on the behavior of malware (heuristic and behavioral analyzers).

These methods are classic and work well on known types of malware. Unfortunately, these methods are often powerless against new, emerging malware. The first reason for this is that their characteristic data (signatures, checksums) are not yet in the antivirus virus database. The second is that heuristic and behavioral analyzers do not detect the threat, because when developing the malicious program, the attackers deliberately changed its behavior so that it would not arouse suspicion in the antivirus behavioral analyzer. At the same time, such malicious programs, still unknown to antiviruses, often manifest themselves during operation, revealing their presence to the user working on the infected computer at the moment. An example of such behavior is ransomware that blocks the operation of a computer and requires the user, for example, through messages on the screen, to comply with their criminal demands (usually related to the payment of funds in one way or another). Thus, the infection of a computer with malware is obvious to the user (the malware requires certain actions from him), and the computer is locked, preventing the user from working normally or even launching procedures to counter the malware. At the same time, the antivirus system does not detect or treat the infection, since it does not identify the new threat either by characteristic signs or behavior.

The essence of the invention

The essence of the present invention is to launch the procedure for neutralizing an active infection directly by the computer user who has detected this infection, by interacting with the anti-virus complex (AK) running on the infected system through an external activation device connected to this computer. In this case, this procedure analyzes the current state (at the time of active infection) of the internal data of the operating system and selects a specific method of countering “active” malware. The term “active malware” hereinafter defines malicious software that is running on an infected computer and is running on it at a given specific point in time, manifesting its presence in one way or another.

Thus, the use of the proposed method allows us to solve the described problem of known anti-virus systems, in which the anti-virus system does not detect and treat the infection, since it does not identify a new threat either by characteristic signs or behavior. This is achieved by giving the user the opportunity to inform the antivirus program about the fact of infection on a locked computer and activate in advance the procedures for searching and neutralizing malware, which are applicable only at the stage of active infection. The method has the following distinctive features:

The use of a separate peripheral device allows you to activate the neutralization procedure in cases where the malware has disabled or limited the use of traditional means of inputting information into the computer, such as the keyboard and mouse (this is, for example, standard behavior of ransomware);

The procedure for neutralizing the malicious program and subsequent unlocking is performed without restarting the computer and the resulting loss of current unsaved user data;

The method allows you to find and remove or disable the launch of malicious software that was not previously present in the antivirus virus database, thanks to the determination of the fact of infection personally by the user who activated the neutralization procedure, and further automatic analysis of the current state of the operating system at the time of infection;

The method makes it possible to detect malware that is not detected by behavioral analyzers by its behavior, since as one of the main criteria for assessing the harmfulness of a program, it uses not only its formal behavior, but also the fact of receiving a signal from the user (through the use of an activation device) and its characteristics (temporary and situational).

The method makes it possible to simplify the interaction of the AK with the user, who, to activate the computer treatment procedure, only needs to insert the device and press a button on it, without performing actions that require high qualifications in the field of computer security.

The technical result of the proposed invention is to provide the ability to unlock a computer without losing data and rebooting the computer, increasing the efficiency of anti-virus systems and, accordingly, increasing the security of computer systems.

According to the present invention, a method is implemented for neutralizing malware that blocks the operation of a computer using a separate antivirus activation device, designed for the user to activate the procedure for counteracting malicious software and containing connectors for connecting to the control bus, a controller that provides the software and hardware logic for the operation of the device and carries out communication on the bus, and an activation unit. Said method contains:

1. connecting an antivirus activation device to the computer;

2. transmission of the activation signal from the activation unit;

3. Activation of the procedure for unlocking and disinfecting the computer using an activation device. In this case, the mentioned unlocking and treatment procedure includes: examining the state of the OS graphics subsystem, searching for all created windows and desktops visible to the user; analysis of all processes and threads running on the PC at the time of infection; building, based on the collected data, binding each mentioned window and desktop to a specific process and/or hierarchy of processes; analysis of the received data on processes and identification of loaded modules in each of them that are involved in the execution of the process; search for programs automatically executed during OS startup; generating a list of objects recognized as malicious; and isolating the malicious object, removing references to it from the OS configuration files, and deleting the malicious process generated by the object.

Brief description of drawings

Figure 1 shows a schematic example of the implementation of the concept of an antivirus activation device.

Figure 2 shows the main stages of malware neutralization using the example of ransomware.

Figure 3 shows a schematic representation of the algorithm for unlocking and treating a PC.

Detailed Description of the Invention

To achieve the foregoing and related objects, certain illustrative aspects are described herein in connection with the following description and the accompanying drawings. However, these aspects represent only some possible approaches to the application of the principles disclosed here and are intended to cover all such aspects and their equivalents. Other advantages and features appear from the following detailed description given in conjunction with the drawings.

In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it is obvious that the new embodiments can be practiced without these specific details. In other cases, well-known procedures, structures and devices are shown in block diagram form to facilitate their description.

Description of the activation device

The antivirus activation device (Figure 1), which serves to activate the neutralization procedure, can be connected to the computer via standard communication buses used in PCs, such as USB, COM, LPT, (s)ATA, FireWire and others. In this case, this device has connectors 1 for connecting to a specific control bus, a controller 2, which provides the software and hardware logic of the device operation and communicates via the bus, and an activation unit 3, which can be made in the form of a button, sensor, or switch. It should be taken into account that this text shows only one of the schematic implementation options for such a device, and the technical implementation may differ significantly.

1. The user, working on a PC (21), entering data into it and creating new documents (26), is exposed to infection (22) with ransomware, which requires him to pay a certain amount or perform some other action to continue working. In this case, the malicious program disables or limits the operation of the keyboard and mouse, thereby preventing the malicious program from being removed by any means previously installed on the PC, or from continuing to work, or even from saving your entered data.

2. The user connects (23) the antivirus activation device (10) to the PC. After connecting via a standard communication bus connector, the following occurs:

a. device 10 is recognized by the computer hardware (bus controller, low-level output-input system) and the currently loaded and running operating system 28, executed by the PC processor in the PC memory address space;

b. the current running operating system 28, executed by the PC hardware, sends a corresponding signal to load the control program for this device 10 (the driver of this device).

With. The control program (driver) configures the device 10 to operate in the current operating system 28, including making its hardware resources available for use.

3. The user presses a button (activates a switch) on the body of the device 10. This action activates the start of the computer unlocking and disinfection procedure, performed on the PC processor and in its address space, using the following sequence of events:

A. the device controller 10 receives a signal from the switch (button) and generates a sequence of commands on the communication bus;

b. commands are received by the hardware of the PC, to the bus of which device 10 is connected (the bus controller and the input-output system are involved in processing), and are transferred to the operating system 28 for processing of the current PC running on the processor using its RAM;

c. the operating system 28, having received the data for processing, transfers it to the corresponding device driver 10, previously loaded in step 2.b.

d. The device driver receives data about the activation of the switch from the operating system 28 and notifies the antivirus program running on this computer in the current operating system 28 about this.

e. the antivirus program receives an activation signal and starts the procedure of unlocking and disinfecting the computer 24. Moreover, such activation using a third-party device allows activation without the use of standard input tools that are blocked by the malicious program.

After treatment and unlocking of the computer, the user is informed that the procedure is complete, and can then remove the device 10. In this case, he is able to continue working 25 without losing his data 29, without being harmed in any way by the ransomware.

The procedure for unlocking and disinfecting a computer, launched by an antivirus program, performs actions to restore the user’s full functionality on this PC, doing the following:

a. the subsystem for tracking all existing windows of the graphical user interface 31 at the time of activation of the treatment procedure in the operating system examines the state of the graphical subsystem of the operating system 32, finds all created windows and desktops 33 visible to the user, as well as window I/O processing procedures that intercept 34 the current input -user 35 output, including their hidden instances. Among these windows there are both windows of ordinary programs and windows of a malicious program 36. The information is combined into lists 37, which are transmitted for further processing.

b. monitoring subsystem 38 of the OS 39 process manager running on the processor and RAM of the current PC, built into the anti-virus program, analyzes all processes and threads running on the computer at the time of infection, building a model of the processes’ dependence on each other. One of these processes is the process of the malicious program 310. Based on the collected data, the binding of each window obtained at the previous stage to a specific process and/or hierarchy of processes 311 is built.

c. the system for analyzing loaded modules 312 analyzes the received data about processes and identifies in each of them modules loaded into its address space 313 that participate in the execution of the process. For each module, a file storing its contents is determined using the file system manager 314. Among these modules, the executable module of the malicious program 315 is also detected. The collected data about the modules is saved in lists of modules linked to their corresponding processes and files 316.

d. the procedure for analyzing objects 317 that are automatically launched when the operating system starts, which is part of the anti-virus complex, searches for programs 318 that are automatically executed during the startup of the operating system. In this case, a link to a malicious program 319, if present, is identified, and lists are compiled describing the type of link and its locations in OS 320 configuration files.

e. procedure for analyzing the collected information 321, using the data collected at stages a, b, c, d, performs an analysis of the current situation based on the built-in algorithm, creates lists of candidates for suspicious and malicious objects. These lists are transmitted to the maliciousness rating system 322, which, based on the contents of suspicious objects and an additional database of trusted objects 323, generates the final lists of objects recognized as malicious. In this case, additional treatment data stored in data files, both on the installed computer and on an external activation device, can be used.

f. the final lists of malicious objects are transferred to the object isolation and removal subsystem 325, which isolates the object itself and removes references to it from the operating system configuration files, and also deletes the malicious process itself spawned by the object.

The user who has activated the unlocking and healing process is informed that the procedure is complete and can then remove the activation device. At the same time, he gets the opportunity to continue working without losing his data, without being harmed in any way by the ransomware.

A special feature of the treatment procedure is the ability to identify previously unknown malicious software, since complex information about the state of the system is used directly at the time of activation of the malicious program. In this case, the user performs the important function of informing (playing in this case the role of an expert) about an active infection, i.e. serves as a trigger for starting the procedure in this emergency situation. After receiving a signal from the user about infection, this analysis system allows you to identify the culprit without first studying it and entering it into the virus database.

As used in this application, the terms "component" and "module" refer to a computer entity that is either hardware, a combination of hardware and software, software, or executable software. For example, a module may be, but is not limited to, a process running on a processor, a processor, a hard disk drive, multiple drives (optical and/or magnetic media), an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, a module can be either an application running on a server or the server itself. One or more modules may reside with a process and/or thread of execution, and a module may reside on a single computer and/or be distributed across two or more computers.

While the foregoing description generally relates to computer instructions that may be executed on one or more computers, those skilled in the art will appreciate that the novel embodiment may also be implemented in conjunction with other software modules and/or as a combination of hardware and software.

In general, software modules include procedures, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. In addition, those skilled in the art will appreciate that the methods of the invention can be practiced through other computer system configurations, including single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronic devices, etc., each of which can be connected to one or more corresponding devices during operation.

A computer typically includes various computer-readable media. Computer-readable media can be any available media that a computer can access and includes volatile and non-volatile media, removable and stationary media. By way of example, and not limitation, computer-readable media may include computer storage media and data communication media. Computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information, such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVDs) or other optical disks, magnetic cassettes, magnetic tape, magnetic disk drive or other magnetic storage devices or any other medium that can be used to store useful information and that a computer can access.

An exemplary computing system for implementing various aspects includes a computer, the computer including a processor, a system memory, and a front side bus. The system bus provides an interface for system components, including but not limited to system memory, to the processor. The processor may be any of various commercially available processors. Dual microprocessors and other multiprocessor architectures can also be used as a processor.

The system bus can be any of several types of bus structures, and can further be connected to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures. System memory includes read only memory (ROM) and random access memory (RAM). The Basic Input/Output System (BIOS) is stored in non-volatile memory such as ROM, EPROM, EEPROM, and the BIOS contains basic routines that help transfer information between elements of the computer, such as at startup. The RAM may also include high-speed RAM, such as static RAM for data caching.

The computer further includes an internal hard disk drive (HDD) (e.g. EIDE, SATA), which internal hard disk drive can also be configured for external use in a suitable enclosure (not shown), a magnetic floppy disk drive (FDD) (e.g. for reading from or writing to a removable floppy disk) and an optical disk drive (for example, a CD-ROM reader or for reading from or writing to other high-capacity optical media, such as DVD). The hard disk drive, magnetic disk drive, and optical disk drive can be connected to the system bus through the hard disk drive interface, magnetic disk drive interface, and optical drive interface, respectively. The interface for external drive implementations includes at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

Drives and associated computer storage media provide non-volatile storage of data, data structures, computer instructions, etc. For a computer, drives and media provide storage of any data in a suitable digital format. Although the above description of computer readable media refers to HDD, removable magnetic diskette and removable optical media such as CD or DVD, those skilled in the art will appreciate that other types of computer readable media such as zip disks, magnetic cassettes, flash cards Memories, cartridges, and the like may also be used in an exemplary operating environment, and further, any such media may contain computer instructions for implementing new techniques of the disclosed architecture.

Drives and RAM can store a number of software modules, including an operating system, one or more application programs, other software modules, and program data. All or part of the operating system, applications, modules and/or data may also be cached in RAM. It will also be appreciated that the disclosed architecture may also be implemented with various commercially available operating systems or combinations of operating systems.

A user can enter commands and information into a computer through one or more wired/wireless input devices, such as a keyboard and a pointing device such as a mouse. Input/output devices may include a microphone/speakers and another device such as an IR remote control, joystick, game pad, pen, touch screen, etc. These and other input devices are often connected to the processor through an input device interface, which is connected to the system bus, but can be connected via other interfaces, such as a parallel port, a SHEE 1394 serial port, a game port, a USB port, an IR interface, etc.

The monitor or other type of display device is also connected to the system bus through an interface, such as a video adapter. Apart from a monitor, a computer usually includes other peripheral output devices such as speakers, printers, etc.

Examples of the disclosed architecture were described above. Of course, it is not possible to describe every conceivable combination of components or methods, but one skilled in the art will appreciate that many additional combinations and permutations are possible. Accordingly, the new architecture is intended to cover all such changes, modifications and variations that fall within the spirit and scope of the claims. Moreover, to the extent that the term “includes” is used in the detailed description or claims, such term is intended to be inclusive in a manner analogous to the term “comprising,” since “comprising” is interpreted when used as a transition word in the claims.

1. A method for neutralizing malware that blocks the operation of a computer using a separate antivirus activation device, designed for the user to activate the procedure for counteracting malicious software and containing connectors for connecting to the control bus, a controller that provides the software and hardware logic of the device’s operation and communicates via the bus , and an activation block, wherein the method contains the steps of:
connect the antivirus activation device to the computer;
transmitting an activation signal from the activation unit; And
activate the start of the procedure for unlocking and disinfecting the computer;
wherein said unlocking and treatment procedure includes:
researching the state of the OS graphics subsystem, searching for all created windows and desktops visible to the user;
analysis of all processes and threads running on the computer at the time of infection;
building, based on the collected data, binding each mentioned window and desktop to a specific process and/or hierarchy of processes;
analysis of the received data on processes and identification of loaded modules in each of them that are involved in the execution of the process;
search for programs automatically executed during OS startup;
generating a list of objects recognized as malicious;
isolating a malicious object, removing references to it from OS configuration files, and deleting the malicious process spawned by the object.

2. The method according to claim 1, characterized in that the antivirus activation device is connected to the computer via standard communication buses used in personal computers (PCs), such as USB, COM, LPT, (s)ATA, Fire Wire.

3. The method according to claim 1, characterized in that the activation unit is made in the form of a button, sensor, or switch.

4. The method according to claim 1, characterized in that it additionally contains the steps of:
identify the antivirus activation device by the computer hardware and the currently loaded and running OS;
send a corresponding signal to load the antivirus activation device control program.

5. The method according to claim 1, characterized in that the data on activation of the activation block is received by the driver of the antivirus activation device, and the driver of the antivirus activation device notifies the antivirus program running on the computer in the current OS about said activation.

6. The method according to claim 1, characterized in that the mentioned formation of a list of objects recognized as malicious is carried out based on the contents of suspicious objects and an additional database of trusted objects.

Similar patents:

A method for destroying integrated memory circuits of storage media, designed to prevent leakage of information constituting a trade secret during attempts to unauthorizedly remove media with information recorded on them.

The invention relates to communication technology and can be used in the maritime mobile service to ensure reliable automatic reception of information on navigation safety in the shortwave range on board sea vessels located in any area of ​​the world's oceans.

The invention relates to computer technology. The technical result consists in preventing the use of role parameters by violating subjects of the protected information system.

The invention relates to computer technology, namely to means of protecting user identification data when accessing a third party website. The technical result consists in providing management of the multi-factor authentication service for websites and third parties.

The invention relates to software download control tools. The technical result is to increase security before loading software.

The invention relates to a method for protecting security data transmitted by a transmitter to a receiver, which consists of periodically transmitting to the receiver, alternately with said security data, neutral data designed to prevent filtering of the security data.

The invention relates to computer technology, namely to means of secure communication in a network. The technical result consists in increasing the security of data transmission by dividing keys into segments for preliminary distribution of key creation material according to variable distribution. The method relates to the secure transmission of information from the first node (N1) to the second node (N2) of the network, wherein the first node contains the key creation material (KM(ID1)) of the first node, the second node contains the key creation material (KM(ID2)) of the second node wherein each of the key creation material of the first node and the key creation material of the second node comprises a plurality of shared key progenitor portions formed by the shared key progenitor portion segments. A communication network containing at least two communication devices implements the above method. 3 n. and 10 salary f-ly, 5 ill.

The invention relates to the field of systems and methods for detecting the presence of malicious programs in an operating system that interfere with the user's ability to work with the operating system. The technical result is to detect the presence of malware that interferes with user interaction with the operating system interface. To identify the presence of the mentioned malicious programs in the operating system: (a) detect the occurrence of an event characterized by a violation in the user’s interaction with the operating system interface; (b) compare the current state of the operating system with state patterns that characterize the operation of the operating system with a malicious program that prevents the user from interacting with the operating system interface; and (c) when the said event is detected, characterized by a violation in the user’s interaction with the operating system interface, and the current state of the operating system coincides with the mentioned state patterns characterizing the operation of the operating system with the said malicious program, the presence of this malicious program in the operating system is revealed. 2 n. and 9 salary f-ly, 6 ill.

The invention relates to digital content management devices. The technical result is to increase the security of access to digital content. The method comprises sending, via the first device, an encrypted content key to a second device; sending, through the second device to the third device, license data describing the rights to use said digital content by said third device in response to a request from said third device to use said digital content, said license data including said encrypted content key; and receiving, through said third device, from said first device, data for decrypting said encrypted content key. 4 n. and 11 salary f-ly, 6 ill.

The invention relates to the field of network security, in particular to a multicast key negotiation method and system suitable for a group call system with SCDMA (Synchronous Code Division Multiple Access) broadband access technology. The technical result is to increase the security of group call services provided via multicast transmission. The technical result is achieved due to the fact that the user terminal (UT) negotiates a unicast key with a base station (BS), receives an information encryption key and an integrity check key according to the unicast key, and registers on the BS the identifier of the service group to which the UT belongs; The BS notifies the UT of the multicast key of the service group that the UT should apply, creates a multicast key notification packet, and sends it to the UT; after receiving the multicast key notification packet sent by the BS, the UT obtains the multicast key of the service group that the UT should apply by decrypting the service group key application list, creates a multicast key acknowledgment packet, and sends it to the BS; The BS confirms that the UT's service group multicast key has been created successfully according to the multicast key acknowledgment packet sent by the UT. 2 n. and 6 salary f-ly, 1 ill.

The invention relates to the field of protection against computer threats, namely to tools for analyzing file launch events to determine their security rating. The technical result of the present invention is to reduce the time of anti-virus scanning. Assign a security rating to at least one file. The user-initiated launch of at least one file is registered. Monitors events in the operating system, including file launch events. Information about at least one file running in the operating system is compared with information about at least one file whose launch is registered. They reduce the security rating of a file if there is no information about registering its launch, or increase the security rating of a file if information about registering its launch is present. Files whose security rating exceeds the specified threshold are excluded from anti-virus scanning. 2 n. and 19 salary f-ly, 5 ill.

The invention relates to secure and confidential storage and processing of backup copies. The technical result is to increase the security of data storage. The method receives, by at least one computing device in a first control area, from at least one computing device in a second control area, encrypted data generated by encrypting full backup data for a given set of data from at least one computing device in the second area. control according to at least one search encryption algorithm based on cryptographic key information, receiving, by at least one computing device in the first control area from at least one computing device in the second control area, encrypted metadata generated by analyzing the full backup data and encrypting the analysis output based on the cryptographic key information, receiving secret data allowing visible access to encrypted data specified by at least one cryptographic secret of the secret data, and maintaining synthetic full backup data for a given set of data based on the encrypted data, encrypted metadata and secret data. 3 n. and 12 salary files, 42 ill.

The invention relates to computer technology. The technical result consists in increasing the efficiency of assessing the harmfulness of code executed in the address space of a trusted process. A method for assessing the harmfulness of code executed in the address space of a trusted process, in which the characteristics of untrusted processes, critical functions and criteria for the harmfulness of executable code are specified; save specified signs of untrusted processes, critical functions and criteria for the harmfulness of executable code; identify an unreliable process among the processes running in the operating system based on the presence of specified signs; intercept a critical function call made on behalf of an untrusted process; identifying the executable code that initiated the critical function call by analyzing the call stack; recognize executable code as malicious based on analysis of specified criteria. 2 n. and 12 salary f-ly, 7 ill.

The invention relates to communication systems and more particularly to communication devices and applications for such devices that allow the assignment of survivability services to said device after registration with the service. The technical result is to ensure continuity of the session and service in the event of a network failure or denial of service by dynamically assigning survivability services to communication devices based on the current location of the device and the data network environment. The technical result is achieved by a central session management server that authenticates a first communication device by evaluating account information and assigns a first survivability server to the first communication device based on the current location information provided in the initial message. 3 n. and 16 salary f-ly, 4 ill.

The invention relates to an anti-virus system. The technical result is to prevent unauthorized updating of the anti-virus program. The storage device contains an operating section that stores the file to be scanned, a read-only user interface program, and a hidden section that stores the virus code. The processor is operatively coupled to a display device, wherein a read-only user interface program, when executed by the processor, causes said processor to provide a user interface on said display device, receive an access request through said user interface, and generate, in response to the access request, a password confirmation request for Confirming the program/code update password used to control the update of the anti-virus program and virus code. The antivirus device performs virus scanning of a file to be scanned in said operating section based on said virus code in said hidden section and includes an antivirus processor. 8 salary f-ly, 4 ill.

The invention relates to means for controlling the application of imaging devices. The technical result consists in the possibility of using the image forming device application when changing the device configuration. The device management service receives a request to obtain application information for an application to be applied from the imaging device, generates and transmits application information corresponding to the imaging device when the device configuration information for the imaging device satisfies the application applicability condition contained in core set application information, and a license for use is present to apply the application to the imaging apparatus. 4 n. and 4 salary f-ly, 25 ill.

The invention relates to the field of anti-virus protection. The technical result is to provide the ability to unlock a computer without losing data or rebooting the computer, increasing the efficiency of anti-virus systems and, accordingly, increasing the security of computer systems. The method of neutralizing malware that blocks the operation of a computer involves the use of a separate antivirus activation device, designed for the user to activate the anti-malware procedure and containing connectors for connecting to the control bus, a controller, and an activation unit. The computer unlocking and disinfection procedure is launched in response to the received activation signal from the antivirus activation device. Moreover, the mentioned unlocking and treatment procedure includes: examining the state of the OS graphics subsystem, searching for all created windows and desktops visible to the user; analysis of all processes and threads running on the computer at the time of infection; building, based on the collected data, binding each mentioned window and desktop to a specific process or hierarchy of processes; analysis of the received data on processes and identification of loaded modules in each of them that are involved in the execution of the process; search for programs automatically executed during OS startup; generating a list of objects recognized as malicious; and isolating the malicious object, removing references to it from the OS configuration files, and deleting the malicious process generated by the object. 5 salary f-ly, 3 ill.

The problem of virus protection must be considered in the general context of the problem of protecting information from unauthorized access and the technological and operational security of software in general. The basic principle that should be the basis for the development of virus protection technology is to create a multi-level distributed protection system, including:

    regulation of work on a PC;

    use of software protection tools;

    use of special hardware protection.

In this case, the number of protection levels depends on the value of the information that is processed on the PC.

The following methods are currently used to protect against computer viruses.

Archiving. It consists of copying system areas of magnetic disks and maintaining daily archives of changed files. Archiving is one of the main methods of protecting against viruses. Other methods of protection complement it, but cannot replace it completely.

Incoming control. Checking all incoming programs with detectors, as well as checking the lengths and checksums of newly received programs for compliance with the values ​​​​specified in the documentation. Most known file and boot viruses can be detected at the incoming inspection stage. For this purpose it is used batterydetectors(several sequentially launched programs). The range of detectors is quite wide, and is constantly updated as new viruses appear. However, not all viruses can be detected, but only those recognized by the detector. The next element of input control is a contextual search in files for words and messages that may belong to a virus (for example, Virus, COMMAND.COM, Kill, etc.). The absence of text strings in the last 2-3 kilobytes of the file is suspicious - this may be a sign of a virus that encrypts its body.

The considered control can be performed using a special program that works with a database of “suspicious” words and messages and generates a list of files for further analysis. After the analysis, it is recommended to operate new programs in quarantine mode for several days. In this case, it is advisable to use calendar acceleration, i.e. change the current date when restarting the program. This allows you to detect viruses that trigger on certain days of the week (Friday, 13th of the month, Sunday, etc.).

Prevention. To prevent infection, it is necessary to organize separate storage (on different magnetic media) of newly received and previously used programs, minimizing periods of availability of floppy disks for recording, and dividing common magnetic media between specific users.

Revision. Analysis of newly received programs using special tools (detectors), integrity monitoring before reading information, as well as periodic monitoring of the state of system files.

Quarantine. Each new program is checked for known types of viruses over a certain period of time. For these purposes, it is advisable to allocate a special PC on which no other work is carried out. If it is impossible to allocate a PC for software quarantine, a machine that is disconnected from the local network and does not contain particularly valuable information is used for this purpose.

Segmentation. It involves dividing a magnetic disk into a number of logical volumes (partitions), some of which have the status READ_ONLY (read only). These partitions store executable programs and system files. Databases should be stored in other sectors, separate from the programs that are running. An important preventative measure in the fight against file viruses is to exclude a significant part of boot modules from their reach. This method is called segmentation and is based on partitioning a magnetic disk (hard drive) using a special driver that assigns the READ_ONLY attribute (read only) to individual logical volumes, and also supports password access schemes. At the same time, executable programs and system utilities, as well as database management systems and translators, are placed in write-protected disk partitions, i.e. software components most at risk of infection. As such a driver, it is advisable to use programs like ADVANCEDDISKMANAGER (a program for formatting and preparing a hard drive), which not only allows you to split the disk into partitions, but also organize access to them using passwords. The number of logical volumes used and their sizes depend on the tasks being solved and the size of the hard drive. It is recommended to use 3 - 4 logical volumes, and on the system disk from which you are booting, you should leave a minimum number of files (system files, shell, and trap programs).

Filtration. It consists of using watchdog programs to detect attempts to perform unauthorized actions.

Vaccination. Special processing of files and disks that simulates a combination of conditions that are used by some type of virus to determine whether a program is already infected or not.

Automatic integrity control. It consists in using special algorithms that allow, after starting the program, to determine whether changes have been made to its file.

Therapy. It involves the deactivation of a specific virus in infected programs by special programs (phages). Phage programs “bite” the virus out of the infected program and try to restore its code to its original state (the state before the moment of infection). In general, the technological protection scheme may consist of the following stages:

    input control of new programs;

    segmentation of information on a magnetic disk;

    protecting the operating system from infection;

    systematic control of information integrity.

It should be noted that you should not strive to provide global protection for all files on the disk. This significantly complicates operation, reduces system performance, and ultimately reduces security due to frequent operation in open mode. Analysis shows that only 20-30% of files should be write protected.

When protecting an operating system from viruses, it is necessary to properly place it and a number of utilities, which can ensure that after the initial boot, the operating system is not yet infected with a resident file virus. This is achieved by placing the command processor on a write-protected disk, from which, after the initial boot, it is copied to a virtual (electronic) disk. In this case, during a virus attack, a duplicate command processor on the virtual disk will be infected. When rebooted, the information on the virtual disk is destroyed, making it impossible for the virus to spread through the command processor.

In addition, to protect the operating system, a non-standard command processor can be used (for example, the 4DOS command processor developed by J.P. Software), which is more resistant to infection. Placing a working copy of the shell on a virtual disk allows it to be used as a decoy program. For this, a special program can be used that periodically monitors the integrity of the command processor and informs about its violation. This allows for early detection of a virus attack.

As an alternative to MS DOS, several operating systems have been developed that are more resistant to infection. Of these, DR DOS and Hi DOS should be noted. Any of these systems is more “virus-resistant” than MS DOS. Moreover, the more complex and dangerous the virus, the less likely it is that it will work on an alternative operating system.

An analysis of the considered methods and means of protection shows that effective protection can be ensured through the integrated use of various means within a single operating environment. To do this, it is necessary to develop an integrated software package that supports the considered protection technology. The software package should include the following components.

    Family (battery) of detectors. Detectors included in the family must be launched from the operating environment of the complex. At the same time, it should be possible to connect new detectors to the family, as well as specify the parameters for their launch from the dialog environment. Using this component, software testing can be organized at the incoming inspection stage.

    Virus trap program. This program is generated during the functioning of the complex, i.e. is not stored on disk, so the original cannot be infected. In the process of testing the PC, the trap program is executed repeatedly, changing the current date and time (organizes an accelerated calendar). Along with this, the decoy program monitors its integrity (size, checksum, date and time of creation) every time it is launched. If an infection is detected, the software system switches to the analysis mode of the infected program - a trap - and tries to determine the type of virus.

    Vaccination program. Designed to change the operating environment of viruses so that they lose their ability to reproduce. A number of viruses are known to mark infected files to prevent re-infection. Using this property, it is possible to create a program that processes files in such a way that the virus believes that they are already infected.

    Database about viruses and their characteristics. It is expected that the database will store information about existing viruses, their features and signatures, as well as the recommended treatment strategy. Information from the database can be used when analyzing an infected decoy program, as well as at the stage of incoming software control. In addition, based on the information stored in the database, recommendations can be made on the use of the most effective detectors and phages for treatment against a specific type of virus.

    Residential protection. These tools can reside in memory and constantly monitor the integrity of system files and the shell. The check can be performed using timer interrupts or when performing read and write operations to a file.