[Network Security 2] basic virus protection technology

1. Computer Virus Definition and feature ● definition: compilation or insertion in computer programs damages computer functions or destroys data, affects computer use, and can Self-replicationA group of computer commands or program code. ● Features: (1) parasitic. Legitimate programs infected with viruses are called Virus Vector, Also known Virus Host Program. (2) Contagious. Is a virus Basic FeaturesTo determine whether a program is a computer virus. Prerequisites. (3) concealment. The concealment of computer viruses is manifested in the concealment of existence and transmission. (4) latent. The better the legality, the longer the existence time in the system, and the larger the scope of infection. (5) Trigger. Because of the appearance of a feature or value, the characteristics that induce viruses to infect or attack are called triggering. (6) destructive. Common hazards: reduce system efficiency and occupy system resources. The destruction of viruses mainly depends on the purpose of computer virus designers. 2. Trojan Horse ● attack steps: (1) Set Server program(2) defrauding the other party to execute the server program; (3) Finding the IP address of the other party; (4) using Client ProgramTo control the computer of the other party. ● Features and behaviors: (1) trojans do not replicate themselves. (2) the infected computer system will show unusual behavior or slow operation. ● Communication channels: (1) EmailAttachment propagation; (2) Hidden in communication between users and other users DocumentAnd Other files(3) carried by other malicious code, such as worms; (4) downloaded from the internet Bundled Free Software. 3. computer worm (worm) ● features: using the defects of software systems in the network Self-replication and active communication. But it is different from virus spreading between files. They spread from one computer to another, thus infecting the entire system. ● Composition: main program and boot program 4. Logic Structure of computer viruses (1) virus boot module: when the virus Host ProgramWhen starting to work, the virus program is introduced into the memory from the external memory, so that it is independent from the host Program, and the virus infection module and destruction module are active to monitor system operation. (2) Virus Infection module: responsible InfectionSend viruses to other computer programs Outward diffusion. It consists of two parts: the condition judgment part of virus infection and the main part of virus infection program. (3) virus destruction (manifestation) module: it is the core part of the virus and reflects the intention of the virus maker. It consists of two parts: the condition judgment part of virus damage and the main part of the damage program. 5. workflow for boot and file viruses (1) boot: system startup, self-check, reading the content in the boot zone (the virus enters the memory), and executing the content in the boot zone (the virus directs itself) if the virus is in the dynamic state, modify the system parameters, set the trigger condition, and set the normal system guidance condition to meet the conditions, conduct the infection, and destroy the virus. (2) file type: the infected file is loaded into the memory by executing the virus guiding module. Introduce the infected and damaging module. The virus is in the dynamic mode. Modify system parameters and set the triggering condition to meet the conditions, make sure that the infection meets the conditions and causes damage. 6. macro virus-macro virus: A computer virus stored in a document, template, or macro program. ● Feature: only infected with Microsoft Data (documentation) files ● mechanism: Use VB Advanced LanguageThe compiled virus code is directly mixed in the file and spread. When you open an infected file or execute an operation that triggers the macro virus, the virus is ActivateAnd stored in the normal.dottemplate or personal.xls file. AutomaticInfected with virus. 7. Virus technology (1) Parasitic technology when the virus is infected, add the virus code Normal ProgramMedium, original Normal program functionsAll or part. Is the most widely used technology for file viruses. Classification: ① head parasitic, tail parasitic, insert parasitic (virus code inserted into different host program locations) ② empty hole utilization (example: CIH) (2) resident technology when infected files are executed, the virus PartFunction modules enter the memory, even if the program is completed, they still ResidentIn memory. (Viruses need to monitor suitable infected objects and trigger conditions in real time. They always want key code to remain in the memory, Run as soon as you get a chance. If antivirus software only clears the virus in the file but does not clear the virus in the memory, the virus will still have the chance to infect the file before exiting the system .) (3) encryption and deformation technology is a milestone virus technology. Based on the encryption Virus Improvement, Make Decrypt the Sub-AccountThe code is diverse for Different Infectious instances. Traditional viruses always have their own Features(For example, marking infected strings, special resident code, and special infected code), the anti-virus vendor uses these features to compile Signature, Used for viruses Detection. (4) Hiding Technology: After a virus enters the user system, various methods are taken to hide its whereabouts, making it difficult for users and anti-virus software to discover the virus. 8. Anti-Virus Technology (Computer Virus DetectionTechnology, computer virus ClearComputer viruses ImmuneComputer viruses Prevention(1) Computer Virus Detection Technology ● comparative method: Compare the original or normal features with the features of the detected objects. Advantages: simple and convenient, No special software required. Disadvantage: The computer virus type and name cannot be confirmed. ● Virus checksum: calculates the checksum of the program code of the normal file and saves it for comparison between the checked objects to determine whether the virus is infected. Advantage: various computer viruses can be detected, including Unknown virus. Disadvantages: High false positive rateUnable to confirm the virus type. ● Analysis Method: This method is mainly used by technical professionals against computer viruses. ● Search Method: Use each computer VirusContained SpecificString to scan the object to be detected. (Most commonly used) Disadvantages: scanning takes more time when a file is scanned for a long time; it is not easy to select a proper feature string; computer virus code base Not timelyNew computer viruses cannot be identified during update, and computer viruses cannot be identified. ● Behavior Monitoring Method: Because the virus shows some common behavior during infection and destruction, and is special, these behaviors are rare in normal programs, you can detect these behaviors to detect the existence of the virus. Advantage: not only can detect known viruses, but also Predictable unknown virus. Disadvantage: Possible False alarm. ● Virus behavior software simulation method ● infection experiment method (2) Cleaning of computer viruses: use special software to disinfect viruses or manually perform (3) computer virus Immunization: Principle: implemented based on virus signatures. When a virus is infected with another program, you must first determine whether the virus has been infected, that is, whether the host program to be attacked has the corresponding virus signature. If yes, the virus is no longer infected. Therefore, it can be done artificially in the "Health Program ". Virus signatureTo Immune Effect. (4) computer virus prevention: ① frequent Data backup(Data and system); ② new computers, hard disks, software, etc. can be used only after inspection by virus checking software; ③ avoid using removable disks on machines without antivirus software or on public machines as much as possible; ④ for computers PermissionStrictly control and prohibit people and software from entering the system. ⑤ use a set of the best virus detection and removal software, so as to monitor files and disks in real time and control virus intrusion in a timely manner, and promptly and reliably upgrade Anti-Virus products. -- This document is summarized by heki.