October 12, 2010

Threat Types

Threats to your computer system, data, and identity come in many different forms, a few of the most common are listed as follows:
Viruses:
A virus is a self-replicating program that is designed to damage or degrade the performance of a computer. A virus is replicated by being copied or by initiating its copying to another program, computer boot sector or document. Viruses can be classified into four different categories as follows:

File Infector
A File infector virus when executed on a system will seek out other files and insert its code into them. The programs with .EXE and .COM extensions are the most commonly targeted, but a file infector virus can target any executable file.
This infection is most commonly distributed via compromised networks, over the web via drive-by, or from a corrupted media (CDRW, flash media).
Boot Sector Infector
A Boot Sector infector is a virus that infects the leading sector of a hard drive or other bootable media. Many boot sector infectors have the ability to modify the volume label of the storage drive.
It may be transferred as a result of a pirated software application. This type of virus was capable of causing considerable damage, as most operating systems will attempt to boot a computer from the first sector of the boot drive.

Multipartite Virus
A Multipartite Virus is a virus that infects and spreads in more than one way.
Due to the multiple vector for the spread of infection, these virus could spread faster than a boot or file infector alone.
Macro Virus
A Macro Virus is a virus that is written in a language specific to a software application such as a word processor. Since some applications (such as parts of Microsoft Office) allow macro programs to be embedded into documents, this allows the virus to run automatically when the document is opened.
A macro virus infection can be avoided by exercising caution when opening email attachments and other documents.

Polymorphic Virus
A Polymorphic engine is used to create a virus that can be programmed to mutate itself with each infection, making detection more difficult.

Metamorphic Virus
Using a Metamorphic engine, some virus’s can rewrite themselves completely on each new execution. This helps the virus avoid being detected by emulation. These types of virus’s are typically extremely large.


Worms:
Worms are programs that replicate themselves from system to system without the use of a host file. In contrast, viruses which require the spreading of an infected host file. The most common way for a worm to propagate is to copy itself to outbound email as a file attachment or transfer itself across a network through open network shares. Once a worm is on the system, it does not have to be executed by the user.


Trojan horses:
Trojan horses are impostors, files that claim to be something desirable but, in fact, are malicious. A very important distinction from true viruses is that they do not replicate themselves. Trojans contain malicious code that, when triggered, cause loss or even theft, of data. For a Trojan horse to spread it must be invited onto your computer. A Trojan horse does not have reproduction capability and can only be executed by the user. Once a Trojan horse is executed, it delivers its payload. The payloads differ but most of the recently created Trojans are designed to steal passwords or open a port for communication.


Spyware:
Spyware is a generic term for a class of software designed to either gather information for marketing purposes or to deliver advertisements to Web pages. A spyware aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party. Because spyware is not viral, anti-virus software does not offer protection. By attaching itself to legitimate downloads, spyware easily passes through firewalls unchallenged. By intertwining itself with files essential to system operation, spyware cannot safely be removed by simply deleting files with a system cleaning tool.


Rogue Antispyware:
Rogue/Suspect implies that these products are of unknown, questionable, or dubious value as antispyware protection. These products do not provide proven, reliable anti-spyware protection and may be prone to exaggerated false positives. Others may use unfair, deceptive, high pressure sales tactics to pressure sales from gullible, confused users. A few of these products are either associated with known distributors of spyware/adware or have been known to install spyware/adware themselves. Rogue antispyware is difficult to define as the intentions of the group vary. Typically members of the group claim to be a legitimate anti-spyware application but are in fact nothing more than an inexpensive clone of unreliable software. Rogues are often repackaged and given new names. Others among this group present false positives due to bugs in the software's code, not because of an outright lie. Code corrections can move a suspected rogue off of detection lists. Many rogue applications use deceptive or high-pressure sales tactics to convince users into buying a license. Users will be told that they need to buy protection even if there is nothing dangerous found. Free scans are offered but a license is needed before any dangers can be removed. Free, fully functional trial periods are usually not offered. Spyware or other malware sometimes silently installs rogue antispyware that then offers to remove the spyware. Trojans and toolbars are other sources prompting for rouges to be installed. Affiliate marketing programs are often used to sell rogue antispyware.


Adware:
Adware is a type of program that displays an advertisement of some sort, usually related to a specific website cached in the web browser. In some cases, it changes the home page of your web browser to point to a specific web site. Because adware is not malicious in nature, it is not considered a virus. Adware can do a number of different things to your system. It can monitor and profile your web usage and direct pop up ads based on your surfing habits. Most peer-to-peer file sharing programs come bundled with adware and the user is only notified of this in the fine print of the End User License Agreement. Adware is not as dangerous as other infections, but it can be incredibly annoying. These are the types of programs that download files onto your computer by saying they are necessary for certain websites to work or without notifying you at all. They can take up your computers resources and are largely responsible for the countless popup ads you receive on the web.


Rootkits:
Rootkits are specialized programs that exploit known vulnerabilities in an operating system. These programs are available in abundance on the Internet and are used by hackers to gain root (administrator level) access to a computer.
In Windows, two basic classes of Rootkits exist –user mode Rootkits and kernel mode Rootkits.

User Mode Rootkits
A user mode rootkit involves system hacking in the user or application space. Whenever an application makes a system call, the execution of that system call follows a predetermined path and a Windows rootkit can hijack the system call at many points along that path.
One of the most common user mode techniques is the memory modification of system DLLs. Windows programs utilize common code found in Microsoft provided DLLs. At runtime, these DLLs are loaded into the application’s memory space allowing the application to call and execute code in the DLL.

Kernel Mode Rootkits
A kernel mode rootkit involves system hacking or modification in the kernel space. Kernel space is generally off-limits to standard authorized (or unauthorized) users. One must have the appropriate rights in order to view or modify kernel memory. However, the kernel is an ideal place for system hacking because it is at the lowest level and thus, is the most reliable and robust method of hacking. The system call’s path through the kernel passes through a variety of hook points.

DNS Poisoning:
Typically a networked computer uses a Domain Name System (DNS) server to associate website names with IP addresses that a computer can use to negotiate a connection. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable.
To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request.
This technique can be used to direct users of a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates files on the server they control with names matching those on the target server. These files could contain malicious content, such as a computer worm or a computer virus. A user whose computer has referenced the poisoned DNS server would be tricked into accepting content coming from a non-authentic server and unknowingly download malicious content.

3 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More