Various types of malware. Potentially dangerous applications

In this article we will get acquainted with main types of malware . There are many different types of these, let's break it all down in order!

And so I will try to describe everything quite simply, I think you will like it! And so let's go!

Viruses

The first type is, as you probably all already know, “viruses” (computer) and “worms” (Well, also computer J) what are they? Surely you have heard many definitions and their classifications? If not yet, now you will definitely know and imagine what they are and how they work!

Viruses are a kind of malicious software that performs various unauthorized actions on your OS (Operating System), it all depends on its purpose. Basically, a virus is a program code that gives your computer certain commands that the computer executes. We’ll talk to you about how this happens and how viruses are written in the article “Virus commands and how it works.” Well, that’s all about viruses for now, let’s move on to next type these are worms.

Worms

What are worms and how does it work? This is also malicious software that contains a slightly different “code”, namely the main difference is self-reproduction (copying itself) each copy of it retains its inherited self-reproduction properties! Which has a very bad effect on your computer speed.

Trojans

Trojan programs are programs designed and written specifically for the specific “needs” of an attacker. For example, a Trojan program can easily copy your data (For example, passwords, or other information from your computer).

I would like to note that such programs can also modify or block information or even an entire system of commands on your computer! Be careful, these are very dangerous and harmful programs that can cause serious consequences. Let me give you an example, let’s say your computer, after visiting the Internet, picked up a Trojan and your antivirus detected it, you think, okay, I’ll delete it and that’s it! At first glance, everything is logical: they picked it up and deleted it, it would seem not scary!

And as I already wrote, if you read carefully, such a program can modify information and commands (Change, make changes) and it turns out that the Trojan was removed and it has already done its job by changing a number of commands in your system or its settings. What could this turn out to be? Yes, absolutely everything depends on the code and what changes it brings to the system of your PC.

These are the pies, dear readers! Well, I would like to write how a Trojan differs from simple virus. The main difference is that such Trojans do not copy “themselves” (they do not create copies of themselves). Well, for now, let's move on with the Trojans!

The next type is quite cunning programs and they are called “Malicious utilities”. This is one of the most complex types of programs since these programs can be both useful and harmful. And of course, like me without an example :)

Malicious utilities

Let me give you an example: such a program is installed on your PC (Personal Computer) and then it may not harm your computer at all, but as always there is a but. Such a program can hack the security system of another computer from yours! Can you imagine? You sit, you drink your tea, watch a movie, and in the meantime, the processor of your machine processes commands with the help of which the protection system of another computer is bypassed, there are few such utilities, but they already exist and I have come across them! And so, as you understand, not everything about this type is clear, but for now let’s finish talking about this and move on to another type.

Adware, Pornware and Riskware

Adware, Pornware and Riskware, well, this is a little more complicated and a little more detailed. So what is this malware? Heh, I'll try to be as clear as possible. Let's begin... This is definitely a conventional series of harmful programs, since they can be both harmful and completely useful programs. Let me give an example again for clarification? With an example, everything will become clearer. Let’s say you are a System Administrator and you need to install a remote system administration program for computers, for those who are not very familiar with this, I will write briefly. This is the ability to control another computer remotely, via local network(Special cable) or Internet. So in in this case everything is fine because you need it to simplify the operation and maintenance of other PCs. But imagine if in the role system administrator will there be an attacker who wants to get into this with his own idea of ​​using this loophole?

So I briefly described everything, I will write many more articles on this type in more detail, how it all works, and how to implement it all and protect yourself from this kind of threats.

Introduction

Malicious program - a computer program or portable code designed to carry out threats to information stored in a computer system, or for hidden misuse of system resources, or other impact that interferes with normal functioning computer system.

Malicious software includes network worms, classic file viruses, Trojans, hacker utilities and other programs that knowingly cause harm to the computer on which they are executed or to other computers on the network.

Regardless of the type, malware is capable of causing significant damage by implementing any threat to information - threats to violate integrity, confidentiality, and availability.

The place where malware spreads globally is, of course, the Internet.

The Internet, without a doubt, is a necessary thing in our time, for some it is simply necessary. In a short period of time, you can find the information you need, get acquainted with the latest news, and also communicate with many people, all without leaving your home, office, etc. But do not forget that through this “thick pipe” hackers can easily break into your computer and gain access to your personal information.

Although hardware vendors and software, as well as government officials adopting the posture of protectors of personal information into which outside intrusion is unacceptable, there are serious reasons to fear that our travels on the Internet will not remain unnoticed by someone’s “attentive” eyes, anonymity and security are not guaranteed. Hackers can easily read email messages, and Web servers log everything, including even the list of Web pages viewed.

1. Evolution of virus systems

The first virus programs

1949 An American scientist of Hungarian origin, John von Naumann, developed a mathematical theory for creating self-replicating programs. This was the first theory about the creation of computer viruses, which aroused very limited interest among the scientific community.

In the early 60s, engineers from the American company Bell Telephone Laboratories - V.A. Vysotsky, G.D. McIlroy and Robert Morris created the Darwin game. The game presupposed the presence in the memory of the computer of a so-called supervisor, who determined the rules and order of the struggle between rival programs created by the players. The programs had the functions of space exploration, reproduction and destruction. The point of the game was to delete all copies of the enemy's program and capture the battlefield.

Late 60s – early 70s. The appearance of the first viruses. In a number of cases, these were errors in programs that led to programs copying themselves, clogging hard drive computers, which reduced their productivity, but it is believed that in most cases, viruses were deliberately created to destroy. Probably the first victim of a real virus, written by a programmer for entertainment, was the Univax 1108 computer. The virus was called Pervading Animal and infected only one computer - on which it was created.

Malware today

The problem of malware - adware and spyware - deserves increased attention as one of the most important troubles that modern computer users face every day. Their harmful effect is that they undermine the principle of computer reliability and violate the integrity of personal life, violate confidentiality and break the relationship between the protected mechanisms of the computer, through some combinations of spying actions. Such programs often appear without the recipient's knowledge, and even if detected, they are difficult to get rid of. A noticeable decrease in performance, erratic changes in user settings and the appearance of new dubious toolbars or add-ons are just a few of the terrible consequences of a spyware or adware infection. Spies and other malicious programs can also adapt to more subtle modes of computer operation and penetrate deeply into the complex mechanisms of the operating system in such a way as to greatly complicate their detection and destruction.

Reduced performance is probably the most noticeable effect of malware, as it directly affects the performance of the computer to such an extent that even a layman can detect it. If users are not so wary when they pop up every now and then advertising windows, even if the computer is not connected to the Internet, then a decrease in the responsiveness of the operating system, since streams of malicious code compete with the system and useful programs, clearly indicates the emergence of problems. Are changing software settings, new features are mysteriously added, unusual processes appear in the task manager (sometimes there are a dozen of them), or programs behave as if someone else is using them and you have lost control over them. The side effects of malware (be it adware or spyware) lead to serious consequences, and yet many users continue to behave carelessly by opening the door wide to their computer.

On the modern Internet, on average, every thirtieth letter is infected with a mail worm, about 70% of all correspondence is unwanted. With the growth of the Internet, the number of potential victims of virus writers increases, the emergence of new operating systems entails expanding the spectrum possible ways penetration into the system and variants of possible malicious load for viruses. A modern computer user cannot feel safe in the face of the threat of becoming the object of someone’s cruel joke - for example, the destruction of information on a hard drive - the results of long and painstaking work, or the theft of a password for the mail system. It’s just as unpleasant to find yourself a victim mass mailing confidential files or links to a porn site. In addition to the already common theft of credit card numbers, cases of theft of personal data of players of various online games - Ultima Online, Legend of Mir, Lineage, Gamania - have become more frequent. In Russia, cases have also been recorded with the game “Fight Club”, where the real cost of some items at auctions reaches thousands of US dollars. Virus technologies for mobile devices have also developed. Not only Bluetooth devices, but also regular MMS messages (ComWar worm) are used as a penetration route.

2. Types of malware

2.1 Computer virus

Computer virus- a type of computer program distinctive feature which is the ability to reproduce (self-replication). In addition to this, viruses can damage or completely destroy all files and data controlled by the user on whose behalf the infected program was launched, as well as damage or even destroy the operating system with all files as a whole.

Non-specialists sometimes classify other types of malicious programs as computer viruses, such as Trojans, spyware and even spam. (Spam) is the sending of commercial, political and other advertising or other types of messages to persons who have not expressed a desire to receive them. The legality of mass mailing of certain types of messages, for which the consent of recipients is not required, may be enshrined in the legislation of the country. For example, this may concern messages about impending natural disasters, mass mobilization of citizens, etc. In the generally accepted meaning, the term “spam” in Russian was first used in relation to mailings. emails) Tens of thousands of computer viruses are known that spread via the Internet throughout the world, organizing viral epidemics.

Viruses spread by inserting themselves into the executable code of other programs or by replacing other programs. For some time it was even believed that, being a program, a virus could only infect a program - any change not to a program is not an infection, but simply data corruption. It was understood that such copies of the virus would not gain control, being information not used by the processor as instructions. So, for example, unformatted text could not be a carrier of a virus.

However, later, attackers realized that not only executable code containing machine code of the processor can exhibit viral behavior. Viruses were written in batch file language. Then macro viruses appeared, injecting themselves through macros into documents in programs such as Microsoft Word and Excel.

Some time later, hackers created viruses that exploit vulnerabilities in popular software (for example, Adobe Photoshop, Internet Explorer, Outlook), which generally processes regular data. Viruses began to spread by introducing special code into data sequences (for example, pictures, texts, etc.) that exploit software vulnerabilities.

2.2 Trojan

Malicious effects

Trojan program (also – Trojan, Trojan, Trojan horse, troy) – malware, penetrating a computer under the guise of a harmless codec, screensaver, hacker software, etc.

Trojan horses do not have their own propagation mechanism, and this differs from viruses, which spread by attaching themselves to harmless software or documents, and worms, which replicate themselves across the network. However, a Trojan program can carry a viral body - then the person who launched the Trojan turns into a source of “infection”.

Trojan programs are extremely easy to write: the simplest of them consist of several dozen lines of code in Visual Basic or C++.

The name “Trojan program” comes from the name “Trojan horse” - a wooden horse, according to legend, given by the ancient Greeks to the inhabitants of Troy, inside which hid warriors who later opened the gates of the city to the conquerors. This name, first of all, reflects the secrecy and potential deceit of the true intentions of the program developer.

A Trojan program, when launched on a computer, can:

· interfere with the user's work (as a joke, by mistake or to achieve any other purpose);

· spy on the user;

· use computer resources for any illegal (and sometimes causing direct damage) activities, etc.

Trojan disguise

In order to provoke the user to launch a Trojan, the program file (its name, program icon) is called a service name, disguised as another program (for example, installing another program), a file of a different type, or simply given an attractive name, icon, etc. . An attacker can recompile an existing program, adding malicious code to its source code, and then pass it off as the original or replace it.

To successfully perform these functions, the Trojan can, to one degree or another, imitate (or even completely replace) the task or data file it is masquerading as (installation program, application program, game, application document, picture). Similar malicious and camouflage functions are also used by computer viruses, but unlike them, Trojan programs cannot spread on their own.

Spreading

Trojan programs are placed by the attacker on open resources (file servers, writable drives of the computer itself), storage media, or sent via messaging services (for example, e-mail) with the expectation that they will be launched on a specific, member of a certain circle, or arbitrary “ target computer.

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources (including third parties).

Removal methods

Trojans come in many types and forms, so there is absolutely no reliable protection from them.

To detect and remove Trojans, you must use antivirus programs. If the antivirus reports that when it detects a Trojan it cannot remove it, then you can try loading the OS from an alternative source and repeat the antivirus scan. If a Trojan is detected in the system, it can also be removed manually (safe mode is recommended).

It is extremely important to regularly update the antivirus database of the antivirus installed on your computer to detect Trojans and other malware, since many new malware programs appear every day.

2.3 Spyware

Definition

Spyware (spyware) is a program that is secretly installed on a computer in order to fully or partially control the operation of the computer and the user without the latter’s consent.

IN present moment There are many definitions and interpretations of the term spyware. The Anti-Spyware Coalition, which includes many major manufacturers of anti-spyware and anti-virus software, defines it as a monitoring software product installed and used without proper notification of the user, his consent and control by the user, that is, installed unauthorized.

Features of operation

Spyware can perform a wide range of tasks, for example:

· collect information about Internet usage habits and the most frequently visited sites (tracking program);

· remember keystrokes on the keyboard (keyloggers) and record screenshots of the screen (screen scraper) and subsequently send information to the creator of the spyware;

· unauthorized and remote control of a computer (remote control software) – backdoors, botnets, droneware;

· install additional programs on the user’s computer;

· used for unauthorized analysis of the state of security systems (security analysis software) - port and vulnerability scanners and password crackers;

· change the parameters of the operating system (system modifying software) - rootkits, control interceptors (hijackers), etc. - resulting in a decrease in the speed of the Internet connection or loss of the connection as such, opening other home pages or deleting certain programs;

· redirect browser activity, which entails visiting websites blindly with the risk of virus infection.

Legal uses of "potentially unwanted technologies"

· Tracking Software (tracking programs) are widely and completely legally used for monitoring personal computers.

· Adware can be openly included in free and shareware software, and the user agrees to view advertising in order to have some additional opportunity (for example, to use this program for free). In this case, the presence of a program for displaying advertising must be explicitly stated in the end user agreement (EULA).

· Remote monitoring and control programs can be used for remote technical support or access to your own resources that are located on a remote computer.

· Dialers (dialers) can provide the opportunity to gain access to resources needed by the user (for example, dialing to an Internet provider to connect to the Internet).

· Programs for system modification can also be used for personalization desired by the user.

· Automatic download programs can be used to automatically download application updates and OS updates.

· Programs for analyzing the state of the security system are used to study security computer systems and for other completely legal purposes.

· Passive tracking technologies can be useful in personalizing the web pages a user visits.

History and development

According to 2005 data from AOL and the National Cyber-Security Alliance, 61% of responding computers contained some form of spyware, of which 92% of users were unaware of the presence of spyware on their machines and 91% reported that they did not authorize the installation of spyware.

By 2006, spyware had become one of the prevailing security threats to computer systems using Windows. Computers that use Internet Explorer as their primary browser are partially vulnerable not because Internet Explorer is the most widely used, but because its tight integration with Windows allows spyware to gain access to key parts of the OS.

Before the release of Internet Explorer 7, the browser automatically presented an installation window for any ActiveX component that a website wanted to install. The combination of naive user ignorance towards spyware and Internet Explorer's assumption that all ActiveX components are harmless has contributed to the proliferation of spyware. Many spyware components also exploit flaws in JavaScript, Internet Explorer and Windows to install themselves without the user's knowledge and/or permission.

The Windows registry contains many sections that, after modifying the key values, allow the program to execute automatically when the OS boots. Spyware can use this pattern to bypass uninstallation and removal attempts.

Spyware usually attaches itself from every location in the registry that allows execution. Once running, spyware periodically checks to see if one of these links has been deleted. If yes, then it is automatically restored. This ensures that spyware will run during OS boot, even if some (or most) entries in the startup registry are removed.

Spyware, viruses and network worms

Unlike viruses and network worms, spyware usually does not reproduce itself. Like many modern viruses, spyware is introduced into a computer primarily for commercial purposes. Typical manifestations include displaying pop-up advertisements, stealing personal information (including financial information such as credit card numbers), tracking website browsing habits, or redirecting browser requests to advertising or pornography sites.

Telephone scam

Spyware creators can commit fraud on telephone lines using dialer-type programs. The dialer can reconfigure the modem to dial high-value phone numbers instead of the regular ISP. Connections to these untrustworthy numbers come at international or intercontinental rates, resulting in exorbitantly high phone bills. The dialer is not effective on computers without a modem or not connected to a telephone line.

Treatment and prevention methods

If the spyware threat becomes more than annoying, there are a number of methods to combat them. These include programs designed to remove or block the introduction of spyware, as well as various user tips aimed at reducing the likelihood of spyware entering the system.

However, spyware remains a costly problem. When a significant number of spyware elements have infected the OS, the only remedy is to save the user data files and completely reinstall the OS.

Antispyware programs

Programs such as Ad-Aware (free for non-commercial use, additional services paid) from Lavasoft and Spyware Doctor from PC Tools ( free scan, spyware removal is paid) quickly gained popularity as effective tools removal and, in some cases, preventing the introduction of spyware. In 2004, Microsoft acquired GIANT AntiSpyware, renaming it Windows AntiSpyware beta and releasing it as a free download for registered users. Windows users XP and Windows Server 2003. In 2006, Microsoft renamed the beta version to Windows Defender which was released for free download(for registered users) since October 2006 and included as a standard tool in Windows Vista.

2.4 Network worms

Network worm– a type of self-reproducing computer programs distributed in local and global computer networks. The worm is an independent program.

Some of the first experiments on the use of computer worms in distributed computing were conducted at the Xerox Palo Alto Research Center by John Shoch and Jon Hupp in 1978. The term was influenced by David Gerrold's science fiction novels When HARLEY Turned year" and John Brunner's "On the Shock Wave"

One of the most famous computer worms is the Morris Worm, written by Robert Morris Jr., who was a student at Cornell University at the time. The spread of the worm began on November 2, 1988, after which the worm quickly infected large number computers connected to the Internet.

Distribution Mechanisms

Worms can use various mechanisms (“vectors”) for propagation. Some worms require a specific user action to spread (for example, opening an infected message in the client email). Other worms can spread autonomously, choosing and attacking computers in full automatic mode. Sometimes there are worms with a whole range of different propagation vectors, victim selection strategies, and even exploits for different operating systems.

Structure

So-called RAM-resident worms are often isolated, which can infect a running program and reside in RAM without affecting hard drives. You can get rid of such worms by restarting the computer (and, accordingly, resetting the RAM). Such worms consist mainly of an “infectious” part: an exploit (shellcode) and a small payload (the worm body itself), which is located entirely in RAM. The specificity of such worms is that they are not loaded through a loader like all ordinary executable files, which means they can only rely on dynamic libraries that have already been loaded into memory by other programs.

There are also worms that, after successfully infecting memory, save code on the hard drive and take measures to subsequently run this code (for example, by writing the corresponding keys in Windows registry). Such worms can only be gotten rid of using an antivirus or similar tools. Often, the infectious part of such worms (exploit, shellcode) contains a small payload, which is loaded into RAM and can “upload” the worm itself directly over the network in the form of a separate file. To do this, some worms may contain a simple TFTP client in the infectious part. The body of the worm loaded in this way (usually a separate executable file) is now responsible for further scanning and spreading from the infected system, and can also contain a more serious, full-fledged payload, the purpose of which could be, for example, causing some harm (for example, DoS -attacks).

Most email worms are distributed as a single file. They do not need a separate “infection” part, since usually the victim user, using an email client, voluntarily downloads and launches the entire worm.

2.5 Rootkits

Rootkit– a program or set of programs that use technologies for hiding system objects (files, processes, drivers, services, registry keys, open ports, connections, etc.) by bypassing system mechanisms.

The term rootkit historically comes from the world of Unix, where the term refers to a set of utilities that a hacker installs on a hacked computer after gaining initial access. These are, as a rule, hacker tools (sniffers, scanners) and Trojan programs that replace the main Unix utilities. A rootkit allows a hacker to gain a foothold in a compromised system and hide traces of their activities.

In Windows, the term rootkit is usually considered to be a program that injects itself into a system and intercepts system functions or replaces system libraries. Interception and modification of low-level API functions, first of all, allows such a program to sufficiently mask its presence in the system, protecting it from detection by the user and anti-virus software. In addition, many rootkits can mask the presence in the system of any processes described in its configuration, folders and files on the disk, or keys in the registry. Many rootkits install their own drivers and services into the system (they are naturally also “invisible”).

Recently, the threat of rootkits has become increasingly relevant as developers of viruses, Trojans and spyware begin to embed rootkit technologies into their malware. One classic example is the Trojan-Spy program. Win32. Qukart, which masks its presence in the system using rootkit technology. Its RootKit mechanism works great on Windows 95, 98, ME, 2000 and XP.

Classification of rootkits

Conventionally, all rootkit technologies can be divided into two categories:

· Rootkits operating in user mode (user-mode)

· Rootkits running in kernel mode (kernel-mode)

Also, rootkits can be classified according to their operating principle and persistence. Based on the operating principle:

· Changing algorithms for performing system functions.

· Changing system data structures.

3. Signs that your computer is infected with a virus. Actions to take if an infection is detected

The presence of viruses on a computer is difficult to detect because they are hidden among ordinary files. This article describes in more detail the signs of a computer infection, as well as methods for recovering data after a virus attack and measures to prevent it from being damaged by malware.

Signs of infection:

· displaying unexpected messages or images on the screen;

· giving unexpected sound signals;

· unexpected opening and closing of the CD-ROM device tray;

· arbitrary, without your participation, launching any programs on your computer;

· if available on your computer firewall, warnings appear about an attempt by any of your computer programs to access the Internet, although you did not initiate this in any way.

If you notice something like this happening to your computer, it is highly likely that your computer is infected with a virus.

In addition, there are some characteristic signs of being infected by a virus via email:

· friends or acquaintances tell you about messages from you that you did not send;

· in your mailbox there are a large number of messages without a return address and header.

It should be noted that such symptoms are not always caused by the presence of viruses. Sometimes they can be a consequence of other reasons. For example, in the case of mail, infected messages may be sent with your return address, but not from your computer.

There are also indirect signs infecting your computer:

Frequent freezes and crashes in the computer;

· Slow operation of the computer when launching programs;

· inability to load the operating system;

· disappearance of files and directories or distortion of their contents;

frequent contact with hard drive(the light on the system unit);

· the Internet browser freezes or behaves unexpectedly (for example, the program window cannot be closed).

In 90% of cases, the presence of indirect symptoms is caused by a hardware or software failure. Despite the fact that such symptoms are unlikely to indicate an infection, if they appear, it is recommended to conduct a full scan of your computer with an antivirus program installed on it

Actions to take if an infection is detected:

1. Disconnect your computer from the Internet (from the local network).

2. If the symptom of the infection is that you cannot boot from hard drive computer (the computer gives an error when you turn it on), try booting into crash protection mode or from the Windows emergency boot disk that you created when installing the operating system on your computer.

3. Before taking any action, save the results of your work to external media (floppy disk, CD, flash drive, etc.).

4. Install an antivirus if you do not have any antivirus programs installed on your computer.

5. Get latest updates antivirus databases. If possible, to receive them, access the Internet not from your own computer, but from an uninfected computer of friends, an Internet cafe, or from work. It is better to use another computer, since when connecting to the Internet from an infected computer there is a possibility of sending a virus important information attackers or spreading a virus to your addresses address book. That is why, if you suspect an infection, it is best to immediately disconnect from the Internet.

6. Run a full scan of your computer.

4. Anti-malware methods

virus computer trojan infection

There is no 100% protection against all malware: no one is immune from exploits like Sasser or Conficker. To reduce the risk of losses from malware, we recommend:

· use modern operating systems that have a serious level of protection against malware;

· install patches in a timely manner; if there is an automatic update mode, enable it;

· constantly work on a personal computer exclusively under user rights, and not as an administrator, which will not allow most malicious programs to be installed on a personal computer;

· use specialized software products that use so-called heuristic (behavioral) analyzers to counter malware, that is, those that do not require a signature base;

· use anti-virus software products from well-known manufacturers, with automatic updating of signature databases;

· use a personal Firewall that controls access to the Internet from personal computer based on policies set by the user himself;

· limit physical access to the computer of unauthorized persons;

· use external media information only from trusted sources;

· do not open computer files received from unreliable sources;

· disable autostart from removable media, which will not allow codes that are located on it without the user’s knowledge to run (for Windows you need gpedit.msc->Administrative Templates (User Configuration)->System->Disable Autorun->Enabled “on all drives”).

Modern defenses against various forms of malware include many software components and methods for detecting “good” and “bad” applications. Today, antivirus vendors build scanners into their programs to detect spyware and other malicious code, so everything is done to protect the end user. However, not a single package is against spyware not ideal. One product may be too close to programs, blocking them at the slightest suspicion, including “cleaning out” useful utilities that you regularly use. Another product is more software-friendly but may allow some spyware to pass through. So, unfortunately, there is no panacea.

Unlike antivirus packages, which regularly show 100% effectiveness in detecting viruses in professional testing conducted by experts such as Virus Bulletin, not a single package against advertising programs does not score more than 90%, and the effectiveness of many other products is determined between 70% and 80%.

This explains why using, for example, an antivirus and an antispyware program at the same time in the best possible way provides comprehensive system protection against dangers that may come unexpectedly. Practice shows that one package should be used as a permanent "blocker" that is loaded every time the computer is turned on (for example, AVP 6.0), while another package (or more) should be run at least once a week to provide additional scanning (eg Ad-Aware). Thus, what one packet misses, another can detect.

5. Classification of antivirus programs

Types of antivirus programs

Evgeny Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (determining functionality):

· Scanners(outdated version - “polyphages”) - determine the presence of a virus using a signature database that stores signatures (or their checksums) viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer (see: Heuristic scanning).

· Auditors(a class close to IDS) – they remember the state of the file system, which makes it possible to analyze changes in the future.

· Watchmen(monitors) – monitor potentially dangerous operations, issuing the user a corresponding request to allow / prohibit the operation.

· Vaccines– change the grafted file in such a way that the virus against which the graft is being given already considers the file infected. In modern (2007) conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

Products for home users:

· Actually antiviruses;

· Combined products (for example, antispam, firewall, anti-rootkit, etc. are added to the classic antivirus);

Corporate Products:

· Server antiviruses;

· Antiviruses on workstations (“endpoint”).

Modern antivirus agents protection and their main functional features

BitDefender Antivirus Plus v10.

Main functional features:

· Heuristics in Virtual Environment function – emulation virtual machine, with the help of which they are potentially tested dangerous objects using heuristic algorithms;

· automatic verification of data transmitted via POP3 protocol, support for the most popular mail clients(MS Exchange, MS Outlook, MS Outlook Express, Netscape, Eudora, Lotus Notes, Pegasus, The Bat and others);

· protection against viruses spreading through Peer-2-Peer file-sharing networks;

· creating a personal spam list for the user.

Processor Intel Pentium II 350 MHz, 128 MB RAM, 60 MB free space on the hard drive, availability Windows systems 98/NT/Me/2000/XP.

Eset NOD32 2.5

· heuristic analysis to detect unknown threats;

· ThreatSense technology – file analysis to detect viruses, spyware, unsolicited advertising (adware), phishing attacks and other threats;

· checking and removing viruses from write-locked files (for example, DLLs protected by the Windows security system);

· verification of HTTP, POP3 and PMTP protocols.

Minimum system requirements: Intel Pentium processor, 32 MB RAM, 30 MB free hard disk space, Windows 95/98/NT/Me/2000/XP.

Kaspersky Anti-Virus 6.0

Main functional features:

· traffic checking at the POP3, IMAP and NNTP protocol level for incoming messages and SMTP for outgoing messages, special plugins for Microsoft Outlook, Microsoft Outlook Express and The Bat!;

· warning the user if changes are detected both in normal processes and when hidden, dangerous and suspicious ones are detected;

· control of changes made to the system registry;

· blocking dangerous Visual Basic for Applications macros in Microsoft Office documents.

Minimum system requirements: Intel Pentium 133 MHz processor, 32 MB RAM, 50 MB free hard disk space, Microsoft Windows 98/NT/2000/Me/XP.

McAfee VirusScan Pro 10 (2006)

Main functional features:

· protection against viruses, macro viruses, Trojans, Internet worms, spyware, adware, malicious elements ActiveX controls and Java;

· automatic checking of incoming (POP3) and outgoing (SMTP) email;

· ScriptStopper and WormStopper technologies to block malicious activity of scripts and worms.

Minimum system requirements: Intel Pentium 133 MHz processor, 64 MB RAM, 40 MB free hard disk space, Windows 98/Me/2000/XP.

Dr. Web 4.33a

Main functional features:

· protection against worms, viruses, Trojans, polymorphic viruses, macro viruses, spyware, dialers, adware, hacker utilities and malicious scripts;

· updating anti-virus databases up to several times per hour, the size of each update is up to 15 KB;

· examination system memory computer, which allows you to detect viruses that do not exist in the form of files (for example, CodeRed or Slammer);

· a heuristic analyzer that allows you to neutralize unknown threats before the corresponding virus database updates are released.

Minimum system requirements: availability of Windows 95/98/NT/Me/2000/XP. The hardware requirements correspond to those stated for the specified OS.

Conclusion

If you have never encountered computer viruses before, you will definitely encounter them. There was a time when anti-virus software was just appearing, and viruses were already in full effect, causing millions of dollars in losses every day. Today, of course, viruses can also make our lives unbearable, but in most cases, even the average user can clean their PC of malware. But a few years ago you had to completely format your hard drive and start all over again. But even this did not always lead to the desired result.

Remember: to protect your computer, you need an installed and updated antivirus program. Don’t fall for scammers’ tricks, ignore spam, and be careful when installing unlicensed programs on your PC.

List of sources

1. ITipedia http://www.itpedia.ru/index.php/

2. Wikipedia (free encyclopedia) http://ru.wikipedia.org/wiki/

3. article http://roox.net.ru/infosec/04/

4. article http://www.thg.ru/software/malware_spyware_faq/index.html

5. article http://www.oxpaha.ru/publisher_234_28501

Types of malware

Malware is a term for any software that is specifically designed to cause damage to an individual computer or computer network. Let's look at the main types of malware.

Computer virus– a program that is capable of creating copies of itself (not necessarily identical to the original) and introducing them into files, system areas of the computer, and also carrying out other destructive actions. At the same time, copies retain the ability to be further distributed.

Logic bomb is a program or a piece of code in a program that implements a certain function when a certain condition is met, for example, the condition may be the occurrence of a given date. When a logic bomb “explodes,” it implements a function that is undesirable for the user, for example, it deletes some data.

Trojan horse– a program that, in addition to the main ones, also performs additional actions not described in the documentation. A Trojan horse is an additional block of commands inserted in one way or another into the original harmless program. A Trojan horse usually acts within the authority of one user, but in the interests of another user (the attacker).

Worm (network worm)– a type of malware that spreads on a computer network, capable of overcoming security systems, as well as creating and further dissemination their copies and carrying out other malicious actions. The best way to protect yourself is to take precautions when surfing the Internet.

Password Grabber is a program specifically designed for stealing passwords. The scenario could be as follows. The program displays a message about the end of the work session, and then a request to enter a login and password to enter the system. The data entered by the user is sent to the owner of the invader program. To prevent this threat, before entering the requested data, you must make sure that you are entering the name and password for the system program and not some other one.

Keylogger (keylogger)– software or hardware, the main purpose of which is to covertly monitor keystrokes and keep a log of these keystrokes. A keylogger is safe for the system, but it can be very dangerous for the user: with the help of a keylogger you can intercept passwords and other confidential information, entered by the user using the keyboard. As a result, the attacker learns codes and account numbers in electronic payment systems, logins, passwords for email systems, etc. Most antivirus programs recognize well-known keyloggers, and the method of protection against them is no different from the method of protection against any other malicious software.

A condition that facilitates the implementation of many types of information security threats is the presence of “trapdoors” in the program code. Luke– this is the ability to work with this not described in the documentation for the software product software product. As a result, the user gains access to capabilities and data that would normally be closed to him (in particular, access to privileged mode). Hatches are most often the result of developer forgetfulness. For example, a temporary mechanism can be used as a hatch direct access to parts of the program, created to facilitate the debugging process and not deleted after its completion. There is only one defense against hatches - to prevent them from appearing in the program.

There is a class of programs that were originally written for the purpose of destroying data on someone else’s computer, stealing someone else’s information, unauthorized use of someone else’s resources, etc., or acquired such properties for some reason. Such programs carry a malicious payload and are accordingly called malware.

A malware is a program that causes any harm to the computer on which it runs or to other computers on the network.

2.1 Viruses

Term "computer virus" appeared later - officially its author is considered to be an employee of Lehigh University (USA) F. Cohen in 1984 at the seventh conference on information security. Main feature computer virus- This is the ability to self-reproduce.

Computer virus is a program capable of creating its own duplicates (not necessarily identical to the original) and introducing them into computer networks and/or files, system areas of the computer and other executable objects. At the same time, duplicates retain the ability to further spread.

Conventionally, the life cycle of any computer virus can be divided into five stages:

Penetration into someone else's computer

Activation

Search for objects to infect

Preparing copies

Embedding copies

The virus can penetrate both mobile media and network connections - in fact, all channels through which a file can be copied. However, unlike worms, viruses do not use network resources - infection with a virus is possible only if the user himself has activated it in some way. For example, he copied or received an infected file by mail and launched it himself or simply opened it.

After penetration, activation of the virus follows. This can happen in several ways and, in accordance with the chosen method, viruses are divided into several types. The classification of viruses is presented in Table 1:

Table 1- Types of computer viruses

An additional difference between viruses and other malicious programs is their strict attachment to the operating system or software shell for which each specific virus was written. This means that a Microsoft Windows virus will not work and infect files on a computer with another operating system installed, such as Unix. Similarly, a macro virus for Microsoft Word 2003 most likely will not work in the application Microsoft Excel 97.

When preparing their virus copies to camouflage themselves from antiviruses, they can use the following technologies:

Encryption- in this case, the virus consists of two parts: the virus itself and the encryptor.

Metamorphism- when using this method, viral copies are created by replacing some commands with similar ones, rearranging parts of the code, and inserting additional commands between them that usually do nothing.

Accordingly, depending on the methods used, viruses can be divided into encrypted, metamorphic and polymorphic, using a combination of two types of camouflage.

The main goals of any computer virus are to spread to other computer resources and perform special actions upon certain events or user actions (for example, on the 26th of every even month or when the computer is rebooted). Special actions often turn out to be malicious.

Two big threats to online clients are malware and phishing. “Malware” is the general name for programs designed to change or damage data, software, or computer parts. There are several types of malware: viruses, worms and Trojans.

However, as malware has evolved from demonstrations of art by individual programmers to sophisticated technologies developed by organized crime groups, the lines between different categories have begun to blur.

Viruses

The best known types of malware are viruses. And although many malware are called viruses, they have nothing in common with them.

A virus is a program that has been written to insert copies of itself into applications and data, and into critical parts of a computer's hard drive. Viruses are called self-replicating programs and their appearance dates back to the early 70s. But they became widely known only after the development of microcomputers and the Internet.

Viruses embed themselves in specific applications on a computer and are launched the first time the program is launched. At this stage, the virus can create a copy of itself on the hard drive and continues to run or can run every time the application is launched. The first viruses were stored on floppy disks, spread quickly and infected data disks that were used in many people's offices, or through pirated programs that were transmitted through games. These days, viruses are stored on other devices such as flash cards or spread through Internet connections.

Although some viruses are not designed to cause damage, most such programs are designed to harm users by corrupting their data, attacking the operating system, or providing exploitable backdoors to give hackers access to the computer. Even if no damage is intended, viruses use memory, disk space and reduce computer performance.

Worms

Another type of self-replicating malware is worms; just like viruses, they are designed to create copies of themselves; but unlike viruses, worms are stand-alone applications.

Worms spread through network connections, landing on uninfected computers and then using their resources to transmit even more copies across networks.

There are four stages of a worm attack:

1. The first stage is when the worm checks other computers, looking for vulnerabilities that can be used to inject copies of itself.
2. The next step is to penetrate the vulnerable computer by performing operations to exploit the vulnerabilities. For example, a worm can detect an open network connection through which he can receive remote access to the machine to carry out your instructions.
3. In the third stage, the worm downloads itself into remote computer and is stored there. This is often called the "save" stage.
4. On next stage the worm will self-replicate, choosing new computers to test.

Worms were invented out of curiosity and were proposed as ways to test networks or distribute patches for programs over a network; however, their disadvantages far outweigh their advantages. Even the cutest worm uses resources and can affect the performance of a computer system.

Trojans

Last main type malware is a Trojan (or Trojan horse); named after a wooden horse that was supposedly smuggled with Greek soldiers to the ancient city of Troy.

A Trojan masquerades as a completely legitimate program (such as a screen saver) but secretly does harm - allowing someone to take control of a computer by copying personal information, deleting information, monitoring typing, or using email programs to be transmitted. to other computers. Unlike viruses and worms, Trojans are not self-replicating programs; they rely on their perceived usefulness to spread between computers.

Some Trojans work in isolation. However, sometimes they use networks to transmit stolen information - such as passwords, information about bank accounts or credit card numbers, or act as backdoors for damaged computers. They allow attackers to bypass security features of operating systems and gain access to data or even control a computer over a network.

How does malware get onto your computer?

Malicious programs can enter your computer through mechanisms different types, most of which use a combination of human and technical factors.

For example, the creator of the malware may entice you to download their malware by inserting a link into an email, or by attaching the program to an email. In addition, the malware may be packaged together with an illegal copy standard program, and thus end up on the computers of users who choose to use these illegal copies instead of paying for the original versions.

• Based on materials from The Open University.
• . Use only with permission!