[Malicious code series] 1. What is malicious code

Source: rising community Author: hotboy

1. What is malicious code?

Malicious Code is a program that embeds the code into another program without being noticed, in this way, the security and integrity of infected computer data can be damaged, the computer data may be damaged, and the computer data may be damaged. By transmission, malicious code can be divided into five types: virus, Trojan, Worm, mobile code, and compound virus.

　　1. Virus

Viruses generally have the ability to replicate themselves. At the same time, they can also distribute their copies to other files, programs, or computers. Viruses are usually embedded in host programs. When an infected file performs an operation, the virus automatically breeds (for example, opening a file and running a program, click the attachment of the email ). Because of the different purposes of designers, viruses also have different functions. Some viruses are only used for prank, while others are for destruction. Some viruses are regarded as prank viruses on the surface, but the function is actually implicitly destroyed. Viruses can be divided into the following types: file viruses, boot zone viruses, macro viruses, and prank emails.

* File virus infection:Infected file viruses will load themselves into executable files, such as Word, workbooks, and computer games. When a virus is infected with a program, it will replicate itself to infect other programs in the system, or other systems that share and use infected files. In addition, the virus will also reside in the system memory, so that once a new program runs, the virus will be infected. Another way of virus infection is by modifying the sequence of the files executed during the program running, rather than modifying the file itself. In this case, the infected program runs the virus before running its own files. Currently, Jerusalem and cascade are well-known among these viruses.

* Infected with the boot zone virus:Virus Infection in the boot area can infect the Master Boot area of hard disks or removable storage devices (such as floppy disks. The boot area is the first space in the memory. It is used to hold the structure definition and other information of data in the memory. In addition, the boot area contains a boot program that runs when the host starts to boot the operating system. The primary boot area is an independent space on the hard disk. Only the basic input/output system can be used to locate and load the boot program. When the content of a disk with viruses is read at system startup, the virus code is executed. A portable storage device such as a floppy disk can infect the system even if it is not the boot disk. Infected with the boot zone virus has excellent hiding capabilities, and can cause great damage to the computer, or even reach the point where it cannot be recovered. If the computer is infected with the virus, the following symptoms may occur: The computer prompts an error message when it is started, or cannot start. Michelle Angelo and stoned are typical examples of this virus.

　　* Macro virus:Macro virus is a popular and dangerous virus. The macro virus loads itself into files such as Word and workbooks. The virus, as its name says, runs and breeds applications written in macro languages. Currently, many popular software (such as Microsoft Office) automatically uses macro languages to compile and execute jobs repeatedly. The macro virus uses this to spread malicious code. Because users often share files with macro programs, macro virus transmission speed is very fast. When a macro virus is infected with a file, it also uses the file to create and open temporary files for infection. Therefore, temporary files created by files infected with macro viruses are also infected. Marker and Melissa are typical examples of this virus.

　　* Prank Email:As mentioned in its name, the virus is a fake virus warning. Its content is generally to intimidate users, indicating that it will cause great damage to users' computers; or to cheat users that their computers will be infected with viruses, warning them to take immediate emergency measures. Although the information published by the virus is illegal, it is still widely spread like a real virus. Generally, this virus is spread by some innocent users who want to send this message to remind others to prevent the virus. Generally, prank emails do not cause any harm, but some prank emails instruct users to modify system settings or delete some files, which will affect the security of the system. Reading prank emails wastes user time, and some prank emails are sent to Technical Support Departments, warning them that new viruses may threaten network security or seek help. This virus is widely spread in good times and Bud frogs.

　　2. Trojan Horse

These viruses are named based on Trojans in ancient Greek mythology. Such a program has nothing on the surface, but actually implies malicious intentions. Some Trojans will exist in the system by overwriting existing files in the system. At the same time, they can carry malicious code, and some Trojans will appear as a software (for example: A game that can be downloaded), but it is actually a tool for password theft. This virus is usually not easy to detect because it runs in the system as a normal application. A Trojan horse can be divided into the following three modes:

* It is usually lurking in a normal application and carries out independent malicious operations.

* Normally lurking in a normal application, but it modifies a normal application for malicious operations

* Completely overwrite normal application and execute malicious operations

Most Trojans allow the Administrator to log on to the infected computer and have the majority of administrator-level control permissions. To achieve this purpose, Trojans generally include a client and a server client in the computer of the Trojan controller, and the server is placed in the computer that has been intruded, the trojan controller establishes a remote connection with the server that has been intruded into the computer through the client. Once the connection is established, the trojan controller can transmit and modify files by sending instructions to the compromised computer. A Trojan generally has a DDoS (Denial of Service) attack.
Some trojans do not support remote logon. Some of them exist only to hide traces of malicious processes, for example, so that malicious processes are not displayed in the process list. Other Trojans are used to collect information, such as passwords of infected computers. Trojans can also send the list of collected passwords to a specified email account on the Internet.

　　3. Worms

It is a completely independent program that can be self-replicated. It does not need to spread through other programs in the infected host. Unlike other viruses, a worm can automatically create copies with identical functions and run automatically without interference. Worms intrude through system vulnerabilities and Security Settings (such as sharing. Its own features allow it to transmit quickly (within seconds, from one end of the earth to the other ). The typical examples are blaster and SQL Slammer.

　　4. Mobile Code

Mobile Code is the code that can be transmitted from the host to the client computer and executed. It is usually transmitted to the client computer as a part of a virus, worm, or Trojan Horse. In addition, mobile code can use system vulnerabilities for intrusion, such as illegal data access and theft of root accounts. Tools used to write Mobile Code include Java applets, ActiveX, JavaScript, and VBScript.

　　5. Compound viruses

Compound viruses spread malicious code in multiple ways. The famous Nimda Worm is actually an example of a compound virus. It is spread in four ways:

* E-mail: if a user opens an email attachment infected with Nimda on a computer with a vulnerability, the virus searches for all the email addresses stored on the computer, then, send virus emails to them.

* Network sharing: Nimda searches for shared files from other computers connected to the infected computer, and uses NetBIOS as a transfer tool to infect shared files on the remote computer, once the user of the computer runs the infected file, the computer's system will also be infected.

* Web server: Nimda searches for Web servers for Microsoft IIS vulnerabilities. Once it finds a vulnerable server, it copies its own copy, and infect it and its files.

* Web terminal: If a web terminal accesses a web server infected with Nimda, it will also be infected.

In addition to these methods, composite viruses are spread through other services, such as direct transfer of information and point-to-point file sharing. People usually regard compound viruses as worms, and many people think that Nimda is a worm, but from a technical point of view, it has all the characteristics of viruses, worms, and mobile code.