how-to block ads
|
| | | | FAQ Revisions | Editor:
Last modified on 2008-02-24 13:30:45
view: single page · printable | |
1.1 Trojan Horse description | 1.2 Types of Trojan Horses | 1.3 Methods of infection (trojan horse) | 1.4 Virus description | 1.5 Methods of infection (virus) | 1.6 Types of Viruses | 1.7 how to detect a trojan horse&Virus |
login and you can contribute to the FAQ
|
|
| (back) | A Trojan horse program has a useful and desired function, or at least it has the appearance of having such. Trojans use false and fake names to trick users into dismissing the processes. These strategies are often collectively termed social engineering. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. A trojan is designed to operate with functions unknown to the victim. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind, but typically they have malicious intent.
In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a "zombie computer". Because Trojan horses often have these harmful functions, there often arises the misunderstanding that such functions define a Trojan Horse.
In the context of Computer Security, the term 'Trojan horse' was first used in a seminal report edited/written by J. P Anderson (aka 'The Anderson Report', written approx. 1980) which credits Daniel Edwards for coinage.
The basic difference from computer viruses is: a Trojan horse is technically a normal computer program and does not possess the means to spread itself. Originally Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed.
Trojans and backdoors typically setup a hidden server, from which a hacker with a client can then log on to. They have become polymorphic, process injecting, prevention disabling, easy to use and therefore abuse.
Trojans of recent times also come as Computer Worm payloads. It is important to note that the defining characteristics of Trojans are that they require some user interaction, and cannot function entirely on their own nor can they self-propagate/replicate.
more trojan info: »DSL FAQ »What is a Trojan?
 feedback form
 feedback form
by qazwsx2 
last modified: 2006-08-11 01:31:11 |
1.2 Types of Trojan Horses·what harmfull actions can a trojan horse cause on my PC?
·what is a Logic bomb trojan?
·What is a Time bomb trojan?
·what is a Dropper trojan?
·what is a Botnet trojan?
| | (back) | Trojan horses are almost always designed to do various harmful things, but could be harmless. Examples are
erasing or overwriting data on a computer.
encrypting files in a cryptoviral extortion attack.
corrupting files in a subtle way.
upload and download files.
spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'.
setting up networks of zombie computers in order to launch DDoS attacks or send spam.
spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
make screenshots.
logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
phish for bank or other account details, which can be used for criminal activities.
installing a backdoor on a computer system.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:32:58 | | (back) | "Logic bombs" activate on certain conditions met by the computer.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:34:38 | | (back) | "Time bombs" activate on particular dates and/or times.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:34:54 | | (back) | Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:35:08 | | (back) | Some may say that a botnet is not a trojan horse, which is almost true. In that case I quote Robert Lemos and Jim Hu, "A bot is also known as a remote-access Trojan horse program, or RAT."
Botnet is a jargon term for a collection of software robots, or bots, which run autonomously. This can also refer to the network of computers using distributed computing software.
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs (usually referred to as worms, Trojan horses, or backdoors) under a common command and control infrastructure. A botnet's originator can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet owner community.
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, owners must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL, cable, educational, corporate, military or even Government. Sometimes, an owner will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000 node botnet. Large coordinated international efforts to shutdown botnets have also been initiated.
Botnets serve various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. The botnet owner community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines (commonly university, corporate, and even government machines).
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several owners who consider themselves as having legitimate access (note the irony) to a group of bots. Such owners rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships. Often conflicts will occur between the owners as to who owns the individual rights to which machines, and what sorts of actions they may or may not permit.
A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.
If a machine receives a Distributed Denial of Service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting. The best solution is to use hardware (ASIC or FPGA) based Rate Based intrusion prevention system. A solution that can act within seconds like a split second circuit breaker is your best bet as an automated solution.
Botnets typically use free DNS hosting services such as DynDns.org, No-IP.com, & Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refer to such efforts as "nullrouting", because the DNS hosting services usually direct the offending subdomains to an inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse (at least until the owner(s) decides on a new hosting space). However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to much harm.
talk about Botnets:
»Yahoo! Mail getting hammered by hackers via Akami
'Zombie' PCs caused Web outage, Akamai says
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:35:53 |
1.3 Methods of infection (trojan horse)·Infected Programs
·Websites
·Email
·Open ports
| | (back) | The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually.
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:07:03 | | (back) | You can be infected by visiting a rogue website (IE popups). Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. (Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.) The more "features" a web browser has (for example ActiveX objects, and some older versions of Flash or Java), the higher your risk of having security holes that can be exploited by a trojan horse.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-09 01:17:06 | | (back) | If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images (and actually uses much of the same code to process these as Internet Explorer). Furthermore, an infected file can be included as an attachment. In some cases, an infected email will infect your system the moment it is opened in Outlook -- you don't even have to run the infected attachment.
For this reason, using Outlook lowers your security substantially.
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:07:24 | | (back) | Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.
A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.
the following tool can be used to identify any open ports: »/scan
feedback form
feedback form
by qazwsx2
last modified: 2006-07-10 10:06:25 |
1.4 Virus description·What is the descriptive history of a virus (new)?
·What is the descriptive history of a virus (old)?
| | (back) | In computer security, a computer virus is a self-replicating computer program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file, or executable code that is not part of a file, is called a "host". Viruses are one of the several types of malicious software or malware. In common parlance, the term virus is often extended to refer to worms, trojan horses and other sorts of malware; viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware.
While viruses can be intentionally destructive, for example, by destroying data, many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a bomb. For example, a virus might display a message on a specific day or wait until it has infected a certain number of hosts. A time bomb occurs during a particular date or time, and a logic bomb occurs when the user of a computer takes an action that triggers the bomb. The predominant negative effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources.
Today, viruses are somewhat less common than network-borne worms, due to the popularity of the Internet. Anti-virus software, originally designed to protect computers from viruses, has in turn expanded to cover worms and other threats such as spyware, identity theft and adware.
Included in the many types of viruses are:
-Trojan horses - A Trojan horse is just a computer program. The program pretends to do one thing (like claim to be a picture) but actually does damage when you start it (it can completely erase your files). Trojan horses cannot replicate automatically. Computer viruses are called viruses because they share some traits of types of biological viruses.
-Worms - A worm is a piece of software that uses computer networks and security flaws to create copies of itself. A copy of the worm will scan the network for any other machine that has a specific security flaw. It replicates itself to the new machine using the security flaw, and then starts replicating.
-E-mail viruses - An e-mail virus will use an e-mail message as a mode of transport, and usually will copy itself by automatically mailing itself to hundreds of people in the victim's address book.
A computer virus will pass from one computer to another like a real life biological virus passes from person to person. For example, it is estimated by experts that the Mydoom worm infected a quarter-million computers in a single day in January of 2004. In March of 1999, the Melissa virus spread so rapidly that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be dealt with. Another example is the ILOVEYOU virus which occurred in 2000 had a similarly disastrous effect.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:37:36 | | (back) | A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.
The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.
Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of personal computers, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.
Traditional computer viruses were mostly first seen at the last half of the 1980s, and they came about because of a few reasons. “The first reason was the spread of personal computers. Prior to the 1980s, home computers were nearly non-existent or they were toys. Real computers were rare, and they were locked away for use by "experts." During the 1980s, real computers started to spread to businesses and homes because of popularity. By the late 1980s, PCs were widespread in businesses, homes and college campuses.
The second reason was the use of bulletin boards on the computer. People could dial up a bulletin board with a modem and download all sorts of different programs. Most popular were games, and then simple word processors, spreadsheets, etc. Bulletin boards led to what is now known as the virus called a Trojan horse. The third reason that led to the creation of viruses was most definitely the floppy disk. At the end of the 1980s, programs were very small, and could fit the operating system, a word processor and many documents onto a single floppy disk. Most computers didn’t have hard disks, so you would turn on your machine and it would load the operating system and everything else straight from the floppy disk. Viruses took advantage of these three facts to create the first self-replicating programs.
As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSes. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.
Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most of these viruses were able to spread on Macintosh computers as well. Numerically, most of these viruses did not have the ability to send infected e-mail. The ones that did usually worked by accessing the Microsoft Outlook COM interface.
Macro viruses pose very unique problems for detection software. For example, some versions of Microsoft Word caused macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents."
A computer virus may also be transmitted through instant messaging. A virus may send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) and follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:38:04 |
1.5 Methods of infection (virus)·Stealth
·Self-modification
·Encryption with a variable key
·Polymorphic code
·Metamorphic code
| | (back) | Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:08:27 | | (back) | Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
Simple self-modifications
In the past, some viruses modified themselves only in fairly simple ways. For example, they regularly exchanged subroutines in their code. This poses no problems to a somewhat advanced virus scanner.
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:29:44 | | (back) | A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible.
Mostly, the decryption techniques that these viruses employ are fairly simple and mostly done by just xoring each byte with a randomized key that was saved by the parent virus. The use of XOR-operations has the additional advantage that the encryption and decryption routine are the same (a xor b = c, c xor b = a.)
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:09:56 | | (back) | Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts that stay the same on each infection, making it impossible to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate.
Some viruses employ polymorphic code in a way which constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that, as a result of this, some instances of the virus may be able to avoid detection.
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:10:18 | | (back) | To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of assembly code, 90% of it part of the metamorphic engine.
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:10:26 |
1.6 Types of Viruses·What is a Nonresident virus?
·What is a Resident virus?
·What are Fast Infectors ?
·What are Slow Infectors?
·What exactly is a companion virus?
·What Virus extensions does an antivirus program typically assign to a virus...
| | (back) | Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.
For simple viruses the replicator's task is to:
Open the new file
Check if the executable file has already been infected (if it is, return to the finder module)
Append the virus code to the executable file
Save the executable's starting point
Change the executable's starting point so that it points to the start location of the newly copied virus code
Save the old start location to the virus in a way so that the virus branches to that location right after its execution.
Save the changes to the executable file
Close the infected file
Return to the finder so that it can find new files for the replicator to infect.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:26:00 | | (back) | Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.
There are two types:
Fast Infectors
and
Slow Infectors
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:24:49 | | (back) | Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software.
feedback form
feedback form
by qazwsx2 | | (back) | Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach doesn't seem very successful however. Virus that are common in the wild are mostly relatively fast to extremely fast infectors.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:26:44 | | (back) | A few older viruses called companion viruses do not have host files per se, but exploit MS-DOS. A companion virus creates new files (typically .COM but can also use other extentions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if he does not type in ".EXE" but instead does not specify a file extention, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus) and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. Some companion viruses are known to run under Windows 95 and on DOS emulators on Windows NT systems. Path companion viruses create files that have the same name as the legitimate file and place new virus copies earlier in the directory paths. These viruses have become increasingly rare with the introduction of Windows XP, which does not use the MS-DOS command prompt per se.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:25:36 | | (back) | What Virus extensions does an antivirus program typically assign to a virus once it has been found?
@mm is an extension commonly appended to the end of a mass mailing computer virus. This model is used by security firm Symantec, and follows any variant letter. Examples include:
* W32.MyDoom@mm
* Mac.Simpsons@mm
* W32.MyParty@mm
* W32.Nimda.A@mm
Other similar extensions or prefixes are applied to computer viruses, however the decision to do so and indeed the 'name' of the virus is determined by the will of individual security firms.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:28:28 |
1.7 how to detect a trojan horse&Virus·What is a bait file? (antivirus manufactor)
·What antivirus programs do DSLR Members use
·I think I am Infected
·really worried tips
·What programs can I use to detect a Trojan/Virus?
·How To Test Your Virus Scanner [no virus involved]
| | (back) | A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of hosts that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:
Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small infected bait file, than to exchange a large application program that has been infected by the virus.
Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.
feedback form
feedback form
by qazwsx2
last modified: 2006-08-11 01:39:39 | | (back) | »Security »What anti-virus programs do DSLR Members use?
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 19:10:48 | | (back) | »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
->http://www.dslreports.com/forum/cleanup
thxs lilhurricane
feedback form
feedback form
by qazwsx2
last modified: 2006-06-20 22:30:41 | | (back) | If you are really worried about traditional computer viruses, you should try to run a more secure operating system. You don’t often hear about viruses on the UNIX operating systems because the security features keep viruses away from your hard disk and other files.
• If an unsecured operating system is being used, the user should try buying virus protection software as a nice safeguard.
• If you just avoid programs from unknown sources (like the Internet), and instead stick with commercial software purchased on CDs, you get rid of all of the risk from traditional computer viruses.
• “Do not ever double-click on an attachment that has an executable file that arrives as an e-mail attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage.UPDATE: .docs, .gifs, and .jpgs can now contain trojans and viruses. A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once you run it, you have given it permission to do anything on your machine. The only defense is to never run executables that arrive via e-mail.
feedback form
feedback form
by qazwsx2
last modified: 2006-09-07 07:04:12 | | (back) | Well, to keep it very simple, I suggest to use the recent addition to AVG and AVG itself for detecting a virus or trojan.
Free versions
complete link: »free.grisoft.com/doc/5390/lng/us···avg-free
avg direct download: »free.grisoft.com/softw/70free/se···a782.exe
ewido direct download: »free.grisoft.com/softw/70free/se···172c.exe
feedback form
feedback form
by qazwsx2
last modified: 2006-08-09 01:26:52 | | (back) | NO VIRUS INCLUDED DO NOT WORRY
TO TEST IF YOUR VIRUS SCANNER IS WORKING PROPERLY ALL YOU NEED TO DO IS:
1)RIGHT CLICK ON YOUR DESKTOP AND CLICK ON "NEW" THEN CLICK ON "TEXT DOCUMENT", (IT DOESNT MATTER WHAT YOU NAME IT).
2)COPY THE CODE BELOW IN THE TEXT DOCUMENT (HAS TO ALL BE ON ONE LINE OR IT WILL NOT WORK).
Code:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
3)ONCE YOU HAVE DONE THAT CLICK "FILE AND THEN CLICK "SAVE".
4)YOUR VIRUS SCANNER SHOULD PICK IT UP AS SOON AS YOU SAVE IT BUT IF NOT RIGHT CLICK ON THE TEXT DOCUMENT AND CLICK "SCAN FOR VIRUSES" OR SOMETHING LIKE THAT.
THIS IS NOT A REAL VIRUS! IT IS JUST TO CHECK THAT YOUR VIRUS SCANNER IS WORKING
feedback form
feedback form
by Aaronthesky edited by qazwsx2
last modified: 2008-02-24 13:30:45 |
|
