Comprehensive and in-depth analysis of malware and Its Features

What is malware?

This Guide uses the term "malware" as a collective term to refer to viruses, worms, and Trojans that intentionally execute malicious tasks on computer systems.

So what exactly does computer viruses or worms mean? What are the differences between them and the Trojan horse? Is the anti-virus application only valid for worms and Trojans, or only for viruses?

All these problems originate from the confusing and often misinterpreted malicious code world. The number and variety of existing malicious code are numerous, so it is difficult to provide an accurate definition for each malicious code category.

For general anti-virus discussions, you can use the following simple malware category definitions:

& #8226; Trojan Horse. The program looks useful or harmless, but contains hidden code designed to take advantage of or damage the system that runs the program. The Trojan Horse program is usually sent to the user through an email that does not properly describe the purpose and function of the program. It is also called the trojan code. A Trojan horse delivers malicious loads or tasks during its operation.

& #8226; worm. Worms use self-spreading malicious code, which can automatically distribute itself from one computer to another through network connections. Worms perform harmful operations, such as consuming network or local system resources, which may cause DoS attacks. Some worms can be executed and propagated without user intervention, while other worms can be propagated only by directly executing the worm code. In addition to replication, worms may also transmit loads.

& #8226; the explicit intention of virus and virus code is to manually copy the code. The virus tries to append itself to the Host Program to spread between computers. It may damage hardware, software, or data. When the host Program is executed, the virus code runs along with it, infecting a new host, and sometimes passing additional loads.

For the purposes of this Guide, load is a collection of terms that indicate the operations performed by malware attacks on infected computers. The above definitions of various malware categories allow a simple flowchart to illustrate the differences between these categories. It indicates the elements that can be used to determine whether a program or script belongs to these categories.

This figure identifies the common malicious code categories for the purposes of this Guide. However, it is important to understand that the Code introduced by a single attack may be applicable to one or more classes. These types of attacks (known as hybrid threats, including multiple malicious software types using multiple attack methods) can spread very quickly. The attack method is a routine that malware can use to initiate attacks. For these reasons, hybrid threats are particularly difficult to cope.

The following sections describe each type of malware in more detail to help illustrate some of the main elements of each type.

Trojan Horse

A Trojan Horse is not considered a computer virus or worm because it does not spread on its own. However, viruses or worms can be used to copy a Trojan horse as part of the attack load to the target system. This process is called "send ". A Trojan Horse is intended to interrupt the user's work or the normal operation of the system. For example, a Trojan horse may provide a backdoor in the system, allowing hackers to steal data or change configuration settings.

When talking about Trojan horse or Trojan activity, there are two frequently used terms. The identification methods and explanations are as follows:

& #8226; remote access to Trojan. Some Trojans allow hackers or data collectors to remotely control the system. Such programs are called "remote access to Trojan" (RAT) or webshells. RAT

Examples include Back Orifice, Cafeene, and SubSeven.

For more information about this type of Trojan horse, see the article "Danger: Remote Access Trojans" on the Microsoft TechNet website. The URL is

Http://www.microsoft.com/technet/security/topics/virus/virusrat.mspx (English ).

& #8226; Rootkit. Rootkit is a software assembly. Hackers can obtain unauthorized remote access permissions of computers and initiate other attacks. These programs may use many different

Technology, including monitoring keys, changing system log files or existing system applications, creating backdoors in the system, and initiating attacks against other computers on the network. Rootkit is usually

Organized into a group of tools that are refined into specific operating systems. The first Rootkit was identified in 1990s, when Sun and Linux

Operating systems are their main attack objects. Currently, Rootkit can be used in many operating systems, including Microsoft? Windows? Platform.

Note: Please note that RAT and some tools containing Rootkit have valid remote control and monitoring usage. However, the security and confidentiality issues introduced by these tools pose an overall risk to the environment in which they are used.

Worm

If malicious code is copied, it is not a Trojan Horse. Therefore, the next question to define malicious software more accurately is: "Can code be copied without carriers? "That is, can it replicate without infecting executable files? If the answer to this question is "yes", this code is considered a type of worm.

Most worms attempt to copy themselves to the host computer, and then use the channel of the computer for replication. For example, the Sasser worm is dependent on the security vulnerability of the Service to initially infect a system, and then try to replicate using the network connection of the infected system. If you have installed the latest Security Update (to stop the infection), or you have enabled a firewall in the environment to block the network port used by the worm (to stop the replication), the attack will fail.

Virus

If malicious code adds its own copy to the startup sector of a file, document, or disk drive for replication, it is considered virus. This copy can be a direct copy of the original virus or a modified version of the original virus. For more information, see "protection mechanisms" later in this chapter. As mentioned above, a virus usually places its contained load (such as a Trojan horse) on a local computer and then performs one or more malicious operations (such, delete user data ). However, a virus that only performs replication and does not have loads is still a malware problem, because the virus itself may damage data, consume system resources, and occupy network bandwidth during replication.

Characteristics of malware

The characteristics of each type of malware are usually very similar. For example, both viruses and worms may use the network as the transmission mechanism. However, the virus looks for files for infection, and the worm only tries to copy itself. The following section describes the typical characteristics of malware.

Target Environment

When malicious software attempts to attack the host system, it may need many specific components to attack the host system. The following is a typical example to describe what malware needs when attacking the host system.

Components:

& #8226; device. Some malware targets a specific type of device, such as personal computers, Apple Macintosh computers, and even personal digital assistants (PDAs, PDA malware is rare.

& #8226; operating system. Malware may require special operating systems to be valid. For example, in late 1990s, The CIH or Chernobyl virus only attacks Microsoft Windows? 95 or Windows? 98 computers.

& #8226; application. Malware may need to install specific applications on the target computer to transmit loads or replicate them. For example, the LFM.926 virus in 2002 can only be attacked when the Shockwave Flash (.swf) file can be executed on a local computer.

Carrier object

If the malware is a virus, it tries to take the carrier object as the attack object (also known as the host) and infect it. The number and type of target carrier objects vary with malware. The following lists examples of the most common target carriers:

& #8226; executable file. This is a "typical" virus type target object that is copied by attaching itself to the Host Program. In addition. files with the following extensions can also be used in addition to typical executable files with the exe Extension :. com ,. sys ,. dll ,. ovl ,. ocx and. prg.

& #8226; script. Attacks that use scripts as carriers of target files, such as Microsoft Visual Basic? Script, javascript, AppleScript, or Perl Script. The extensions of these files include. vbs,. js,. wsh, And. prolactin.

& #8226; macro. These carriers are macro scripting files that support specific applications (such as word processors, workbooks, or database applications. For example, viruses can use macro languages in Microsoft Word and Lotus Ami Pro to generate many effects, from prank effects (changing words or changing colors in the document) to malicious effect (format the hard drive of the computer ).

& #8226; start the slice. A specific area on a computer disk (hard disk and removable media that can be started) (for example, a master startup record (MBR) or a DOS Boot Record) can also be considered as a carrier, because they can execute malicious code. When a disk is infected, if it is used to start other computer systems, the virus will be copied.

Note: If the virus targets both the file and the startup sector, it can be called a "multi-part" virus.

Transmission Mechanism

Attacks can be attempted and replicated between computer systems using one or more different methods. This section provides information related to several common transmission mechanisms used by malware.

& #8226; removable media. Computer viruses and other malware are initially and may also be the most frequently-produced File Transfer (at least until now. This mechanism starts with a floppy disk and then moves to the network and is currently looking for new media such as Universal Serial Bus (USB) devices and firewire. Infection is not as fast as network-based malware, but security threats always exist and cannot be completely eliminated because data needs to be exchanged between systems.

& #8226; Once network sharing provides a mechanism for computers to directly connect to each other through the network, it will provide another transmission mechanism for malicious software writers, the potential of this mechanism may exceed the capabilities of removable media to spread malicious code. Due to the low security level of network sharing, malicious software can be copied to a large number of computers connected to the network. This largely replaces the manual method of using removable media.

& #8226; network scan. Malicious software writers use this mechanism to scan networks to find computers that are easy to intrude or attack IP addresses at will. For example, this mechanism can use a specific network port to send data packets to many IP addresses to find computers that are prone to intrusion for attacks.

& #8226; peer-to-peer (P2P) Network. To implement P2P file transmission, you must first install the client component of the P2P application. The application uses a network port that can be used to organize the firewall, for example, port 80. Application Enabling