380 likes | 1.73k Views
Boot Sector Virus. Feat. General Virus Information. Boot Sector Virus. Gain Control of System Replace Bootstrap Code With Viral Code Hard Disks Floppy Disks. Code Action, Camouflage Technique.
E N D
Boot Sector Virus Feat. General Virus Information
Boot Sector Virus • Gain Control of System • Replace Bootstrap Code With Viral Code • Hard Disks • Floppy Disks
Code Action, Camouflage Technique Viruses disguise themselves from antivirus and other security devices using a host of complex techniques: • Stealth. Viruses that use this technique hide the normal characteristics that would indicate their presence. • For example, the size of the file will normally increase when it is infected. However, by only inserting code in free file sections, this type of virus tricks the system by making it seem that the file size has not changed. • During file infections the date and time are registered as file modifications. However, when these viruses infect a file, they do not make such changes and the file date and time information will remain as it was before the infection. • To avoid suspicion, stealth viruses will hide some files and change their attributes so that they cannot be viewed. • Tunneling. The 'tunneling' system is quite complicated, as these viruses try to avoid detection by the antivirus software by directly intercepting the interrupt handlers of the operating system and effectively 'burying' under the detection software.
also • Armoring. Viruses that use the 'armoring' techniques disguise their code so that it cannot be read. To detect armored code, antivirus must use heuristic scanning techniques. • Self-Encrypting. Antivirus programs search for certain tell-tale signs of virus activity such as groups of characters or instructions. These viruses encode or encrypt their code to make it more difficult for the antivirus program to detect them. However, modern antivirus solutions use algorithms to detect the encryption routine of these viruses. • Polymorphism. Polymorphic viruses encrypt their code in a different way with each infection (their signature changes from one infection to the next). They take encryption one step further by also encrypting the way (routine or algorithm) in which their signature is encrypted. This means that a polymorphic virus is capable of creating different variants of itself from one infection to the next, changing its 'shape' with each infection. • Fortunately, the virus cannot completely encrypt itself, as it needs to keep part of its original code unencrypted to be able to run. Antivirus programs can detect polymorphic viruses by locating the routine or algorithm that allow the virus to execute.
Anti-Virus Technique • Identifying Virus Signature • Unique Code • Anti-Virus Software Searches For Specific Virus Code
Recent Example • Chaos • The Chaos virus flags the disk as being full of bad sectors upon activation, though most of the supposed bad sectors are still readable.
File sector virus BY JAMES AND OMAR (TEAM MAN LOVE)
FILE VIRUS A computer virus that infects application files such as spreadsheets, computer games or accounting software
EMAIL VIRUS E-mail is now the most common way that viruses are transmitted between computers. The most common mechanism the form of an “attachment” to the message. The attachment facility is normally used for emailing documents, images and so on. However, it is possible for attachments to contain programs which get run when the attachment is opened.
VIRUS REPLICATION • In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they get executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
USE OF CHECKSUM • A checksum of a file can be formed by adding up all the instructions used within that file. This is then added to the file. When the file is about to be run the checksum is recalculated and if there is an error then it is assumed that the file could be infected and a warning is given.
RECENT VIRUS • Storm Worm Botnet Computer Virus • The FBI issued a warning today about e-mails that purport to link readers to an article about the "FBI Verses Facebook". The FBI Agent says the link is a virus, part of the Storm Worm botnet (a collection of compromised computers under the remote control of a criminal) that can make readers vulnerable to identify theft -- and make government computers vulnerable to national security threats. • Spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity. The FBI Agent urge net-citizens to help prevent the spread of botnets by becoming Web-savvy and making sure their computers are not compromised. • The warning was issued by the FBI's Internet Crime Complaint Center, which focuses on cyber crime.
THE END • BYE BYE WE DON’T MISS YOU
Macro Viruses A macro virus is a virus that is written in macro language. They are the most common type of virus. They are built into software applications such as word processor, so that the programme runs automatically when the document is opened. This makes it easy to spread as it can be embedded into emails.
TROJAN HORSE VIRUS BY AMANBER, MURDO, IRFAN & ADEEL
Trojan Horse • A Trojan horse, also known as a Trojan, is malware that appears to perform a desirable function but in fact performs undisclosed malicious functions. Therefore, a computer worm or virus may be a Trojan horse. The term is derived from the classical story of the Trojan Horse. • The author claims it is a free waterfall screen saver. When run, it instead unloads hidden programs, commands, scripts, or any number of commands without the user's knowledge or consent. Malicious Trojan Horse programs are used to circumvent protection systems in effect creating a vulnerable system to allow unauthorized access to the user's computer.
Trojan Dropper • Discovered: February 2, 2000 • Updated: February 13, 2007 11:57:55 AM • Also Known As: Virus. Dropper, Trojan dropper • Type: Trojan Horse • Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP • Trojan. Dropper is a Trojan horse that drops Trojan horses or back door Trojans onto compromised computers.Wild Level: Low • Number of Infections: 0 - 49 • Number of Sites: 0 - 2 • Geographical Distribution: Low • Threat Containment: Easy • Removal: Easy • Damage • Damage Level: Low • Distribution • Distribution Level: Low
Watching • Other viruses can wait until a particular event happens before it attaches itself to a program or file. • Usually some action or condition has to be met before the virus will attach itself.
Heuristic Detection • Heuristic detection describes the technique of approaching a problem through previous experience. The technique is used to find unknown viruses that have not yet been identified by their signatures by looking for characteristics in a file that have previously been associated with a known virus.
Worm By Rebecca & Liam
What is a worm? • A worm is a program or algorithm that usually performs actions, such as using the computers resources and possibly shutting the system down. • Worms only become noticeable once their replication consumes the memory to the extent that the system slows down or is unable to carry out particular tasks. • Worms tend to use the parts of the computers operating system that is not seen by the user until its too late.
Delivery • Infected disks brought in from the outside used to be the main source of viruses until e-mail provided the ideal delivery vehicle. Downloads from peer -2- peer sites are another common source • Once delivery the virus will wait for the trigger to wreak its havoc, it can also attach itself to executable programs • For Example Emails
Memory Resident Monitoring • Programs are divvied into memory resident and non resident ones • A memory resident program leaves its data in RAM after its finished and the operating system allocates memory for this programs operations. • After that, the memory resident program operated in parallel with out programs.
Memory Resident Monitoring • Non resident programs does not leave its code in memory after its termination, and the memory is then cleared • Some anti-virus software can be memory resident • Which means it can check any program that runs in ram when the computer is switched on • The down side of this type of anti-virus software is it takes up RAM , which can slow down the usual functions of the computer.
Up-to-date virus • This worm is called Stration • And also known as W32.Stration@mm, W32/Spamta.A.worm, W32/Stration, WORM_STRATION.A, Email-Worm.Win32.Warezov.a • It spreads via email subject line and messages