Malware (portmanteau for malicious software ) is software that is designed to cause damage to a computer, server, or computer network. Malware does damage after being planted or introduced in a certain way to the target computer and can take the form of executable code, scripts, active content, and other software. This code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms. Malware has malicious intent, acts against the interests of computer users - and does not include software that causes unintentional damage due to certain flaws, which is usually a software bug.
Programs officially supplied by companies can be considered malware if they are secretly acting against the interests of computer users. For example, Sony sells the Sony rootkit, which contains Trojan horses embedded into CDs that are installed silently and hidden on buyers' computers with the aim of preventing unauthorized copying. It also reports user listening habits, and accidentally created vulnerabilities which are then exploited by unrelated malware.
One strategy to protect against malware is to prevent malware from gaining access to the target computer. For this reason, antivirus software, firewalls, and other strategies are used to help protect against the introduction of malware, in addition to checking for the presence of malware and malicious activity and recovering from attacks.
Video Malware
Tujuan
Many of the early infection programs, including the first Internet Worm, were written as experiments or jokes. Today, malware is used by black hat hackers and governments, to steal personal, financial, or business information.
Malware is sometimes used extensively against government or corporate websites to collect information that is maintained, or interfere with their general operations. However, malware can be used against individuals to obtain information such as personal identification numbers or details, bank or credit card numbers, and passwords.
Since the advent of broadband Internet access is widespread, malicious software is more often designed to benefit. Since 2003, most of the widespread viruses and worms have been designed to control the user's computer for illicit purposes. An infected "zombie computer" can be used to send spam emails, to host data such as child pornography, or engage in distributed denial-of-service attacks as a form of blackmail.
Programs designed to monitor a user's web browsing, display unwanted ads, or redirect affiliate marketing earnings are called spyware. Spyware programs do not spread like viruses; otherwise they are generally installed by exploiting security holes. They can also be hidden and packaged together with software that is not installed by the user.
Ransomware affects infected computer systems in several ways, and demands payment to bring it back to normal. For example, programs like CryptoLocker encrypt files securely, and only decrypt them with large sums of money.
Some malware is used to make money with click fraud, so it appears that a computer user has clicked an ad link on the site, generating payments from advertisers. It is estimated in 2012 that around 60 to 70% of all active malware use some kind of click fraud, and 22% of all ad clicks are fraudulent.
In addition to making criminal money, malware can be used for sabotage, often for political motives. Stuxnet, for example, is designed to disrupt highly specific industrial equipment. There are politically motivated attacks that have spread and shut down large computer networks, including massive deletion of files and corruption of master boot records, described as "computer killing". Such attacks are carried out at Sony Pictures Entertainment (November 25, 2014, using malware known as Shamoon or W32.Disttrack) and Saudi Aramco (August 2012).
Maps Malware
Malicious virus infection
The most famous type of malware, virus, and worms, known for its spread, and not a particular type of behavior. A computer virus is software that embeds itself in some other executable software (including the operating system itself) on the target system without the user's knowledge and consent and when run, the virus spreads to other executable files. On the other hand, worm is stand-alone malware software that active transmits itself over the network to infect other computers. This definition leads to the observation that the virus requires the user to run infected software or operating system for the virus to spread, while the worm spreads itself.
Hiding
These categories are not mutually exclusive, so malware can use several techniques. This section applies only to malware designed to operate undetected, not sabotage and ransomware.
Virus
Computer viruses are software that is usually hidden in other seemingly harmless programs that can generate copies of themselves and put them into other programs or files, and which usually perform malicious actions (such as destroying data). An example of this is PE infection, a technique, commonly used to spread malware, which inserts additional data or executable code into PE files.
Ransomware lock screen
Lock-screen, or screen lockers are a kind of "cyber police" ransomware that blocks screens on Windows or Android devices on false accusations of harvesting illegal content, trying to frighten victims into paying a fee. Jisut and SLocker affect Android devices more than any other lock screen, with Jisut making nearly 60 percent of all Android ranomware detectors.
Trojan horse
The Trojan horse is a malicious program that misrepresents itself to impersonate as an ordinary or tame program or utility to persuade victims to install it. Trojan horses usually carry hidden hidden functionality that is activated when the application starts. The term is derived from an Ancient Greek account of a Trojan horse used to attack the town of Troy in secret.
Trojan horses are generally propagated by some form of social engineering, for example, where a user is tricked into executing a disguised email attachment to be unprofitable, (for example, a routine form to be filled in), or with a drive-by download. Although the payload can be anything, many modern forms act as backdoor, contacting a controller who can then have unauthorized access to the affected computer. While Trojan horses and backdoors are not easily detected by themselves, the computer may seem to run slower due to heavy processor or network usage.
Unlike computer viruses and worms, Trojan horses in general do not try to inject themselves into other files or distribute them themselves.
In spring 2017 Mac users are hit by a new version of Proton Remote Access Trojan (RAT) that is trained to extract password data from various sources, such as browser auto-fill data, Mac-OS keychain, and password change.
Rootkits
Once the malicious software is installed on the system, it is important that it remains hidden, to avoid detection. The software package known as rootkit allows this concealment, by modifying the host operating system so malware is hidden from the user. Rootkits can prevent malicious processes from being seen in system process lists, or keep files unreadable.
Some types of malicious software contain routines to avoid identification and/or removal attempts, not just to hide themselves. An early example of this behavior is recorded in the Jargon File story of a pair of programs that infest the Xerox CP-V time share system:
- Every ghost job will detect the fact that the other has been killed, and will initiate a new copy of the program that has just been stopped within a few milliseconds. The only way to kill the two ghosts is to kill them simultaneously (very difficult) or accidentally hit the system.
Backdoors
Backdoor is a method of passing a normal authentication procedure, usually through a connection to a network such as the Internet. Once the system is compromised, one or more backdoors can be installed to allow future access, invisible to the user.
The idea is often suggested that computer manufacturers install a backdoor on their systems to provide technical support to customers, but this has never been verified reliably. It was reported in 2014 that US government agencies have transferred computers purchased by those deemed "targeted" to the secret garage where software or hardware that allows remote access by the agency is installed, is considered one of the most productive operations to gain access to networks around the World. Backdoors can be installed by Trojan horses, worms, implants, or other methods.
Evasion
Since the beginning of 2015, most malware uses a combination of many techniques designed to avoid detection and analysis.
- The most common avoidance technique is when malware avoids analysis and detection with environment fingerprints when executed.
- The second most common circumvention technique is to confuse the automatic tool detection method. This allows malware to avoid detection by technologies such as signature-based antivirus software by altering the servers used by malware.
- The third most common circumvention technique is time-based evasion. This is when malware runs at certain times or follows certain actions taken by the user, thus running during certain vulnerable periods, such as during the boot process, while remaining inactive for the rest of the time.
- The fourth most common circumvention technique is performed by obscuring internal data so that automated tools do not detect malware.
- An increasingly common technique is adware that uses stolen certificates to disable anti-malware and virus protection; Technical solutions are available to handle adware.
Today, one of the most sophisticated and hidden ways of circumvention is the use of information concealment techniques, stegomalware.
Vulnerability
- In this context, and throughout, the so-called attacked "system" can be anything from one application, through a computer and a complete operating system, to a large network.
- Various factors make the system more vulnerable to malware:
Security flaw in software
Malware exploits a security flaw (security bug or vulnerability) in the operating system design, in applications (such as browsers, such as versions of Microsoft Internet Explorer supported by Windows XP), or in vulnerable browser versions such as Adobe Flash Player, Adobe Acrobat or Reader, or Java SE. Sometimes even installing a new version of the plugin does not automatically delete the old version. Security suggestions from plug-in providers announce security-related updates. Common vulnerabilities are assigned a CVE ID and are registered with the US National Vulnerability Database. Secunia PSI is an example of software, free for personal use, which will check the PC for vulnerable software that expires, and try to update it.
Malware authors target bugs, or loopholes, to exploit. A common method is the exploitation of buffer overrun vulnerabilities, in which software designed to store data within a specific memory region does not prevent more data than the buffer can accommodate provided. Malware can provide buffer-rich data, with malicious code or executable data after the end; when this payload is accessed, it does what the attacker, not the legitimate software, determines.
Insecure design or user error
The initial PC must be booted from the floppy disk. When built-in hard drives become common, operating systems usually start from them, but it is possible to boot from other boot devices if available, such as floppy disks, CD-ROMs, DVD-ROMs, USB flash drives or networks. It is common to configure the computer to boot from one of these devices when available. Usually nothing is available; the user will intentionally insert, say, a CD into the optical drive to boot the computer in some special way, for example, to install the operating system. Even without booting, the computer can be configured to execute software on some media as soon as it is available, e.g. to autorun on a CD or USB device when inserted.
The malware distributor will trick users into booting or running from infected devices or media. For example, a virus can make an infected computer add an autorunized code to every USB stick plugged into it. Anyone who attaches a stick to another computer that is set to autorun from USB will in turn be infected, and also passes the infection in the same way. In general, any device connected to a USB port - even lights, fans, speakers, toys, or peripherals such as a digital microscope - can be used to spread malware. The device may become infected during manufacture or supply if quality control is inadequate.
This form of infection is largely avoidable by setting the computer by default to boot from the internal hard drive, if available, and not autorun from the device. Triggering boot from other devices is always possible by pressing certain keys during boot.
Older email software will automatically open HTML emails containing potentially harmful JavaScript code. Users can also execute dangerous malicious email attachments and infected executable files provided in other ways.
Overly special user and overly special code
In computing, privileges refer to how many users or programs are allowed to modify a system. In poorly designed computer systems, users and programs can be given more rights than they should, and malware can take advantage of this. Two ways that this malware is done through users who are too busy and too good code.
Some systems allow all users to modify their internal structure, and such users today will be regarded as overly privileged users. This is a standard operating procedure for early microcomputers and home computer systems, where there is no difference between the administrator or root , and the system's regular users. In some systems, non-administrator users are overly privileged by design, in the sense that they are allowed to modify the internal structure of the system. In some environments, users are overly privileged because they are not assigned an administrator or equivalent status.
Some systems allow the code executed by the user to access all those user rights, known as overly special codes. It is also a standard operating procedure for early microcomputers and home computer systems. Malware, running a code that is too special, can use this privilege to subvert the system. Almost all operating systems are currently popular, and also many scripting applications allow too much code privileges, usually in the sense that when a user executes a code, the system allows that code for all those user rights. This makes the user vulnerable to malware in the form of e-mail attachments, which may or may not be disguised.
Use the same operating system
- Homogeneity can be a vulnerability. For example, when all computers on the network run the same operating system, after exploiting one, one worm can exploit them all: Specifically, Microsoft Windows or Mac OS X has a large market share so that exploited vulnerabilities concentrating on the operating system can subvert a number big system. Introducing pure diversity for strength, such as adding a Linux computer, can increase short-term costs for training and maintenance. However, as long as all nodes are not part of the same directory service for authentication, having several different nodes can prevent the total shutdown of the network and allow the node to help recovery of infected nodes. Such separate functional redundancy can avoid total shutdown costs, with the cost of increasing complexity and reducing usability in terms of single sign-on authentication.
Anti-malware strategy
As malware attacks become more frequent, attention begins to shift from virus and spyware protection, to malware protection, and programs specifically developed to combat malware. (Other preventive and recovery measures, such as backup and recovery methods, are mentioned in computer virus articles).
Anti-virus and anti-malware software
Specific components of anti-virus and anti-malware software, commonly referred to as on-access or real-time scanners, hook deep into the core or operating system kernel and work in a manner similar to how the malware itself will attempt to operate, although with the permission of the user information to protect the system. Every time the operating system accesses the file, the scanner in access checks whether the file is a 'legitimate' file or not. If the file is identified as malware by the scanner, the access operation will be terminated, the file will be handled by the scanner in the predefined way (how the anti-virus program is configured during/post installation), and the user will be notified. This may have a considerable performance impact on the operating system, although the level of effect depends on how well the scanner is programmed. The goal is to stop any operation malware can perform on the system before it occurs, including activities that might exploit a bug or trigger unexpected operating system behavior.
An anti-malware program can combat malware in two ways:
- They can provide real-time protection against installing malware on your computer. This type of malware protection works in the same way as antivirus protection because anti-malware software scans all incoming network data for malware and blocks any threats.
- An anti-malware software program can only be used to detect and remove malware software that has been installed to the computer. This type of anti-malware software scans the contents of Windows registry, operating system files, and programs installed on the computer and will provide a list of any threats found, allowing users to select files to be deleted or stored, or to compare these lists to lists Known malware components, delete the matching files.
Real-time protection from malware works identically with real-time antivirus protection: the software scans disk files at download time, and blocks the activity of components known as malware. In some cases, this can also intercept attempts to install start-up items or modify browser settings. Because many malware components are installed as a result of browser exploits or user errors, using security software (some of which are anti-malware, though many are not) to a "sandbox" browser (basically isolating the browser from a computer and therefore malware whatever changes are induced) can also be effective in helping to limit the damage done.
Examples of Microsoft Windows antivirus and anti-malware software include optional Microsoft Security Essentials (for Windows XP, Vista, and Windows 7) for real-time protection, Windows Malicious Software Removal Tool (now included with Windows Update (Security) on "Patch Tuesday ", the second Tuesday of each month), and Windows Defender (an optional download in case of Windows XP, which combines MSE functions in Windows 8 and later). In addition, some antivirus software programs are available for download free from the Internet (usually limited for non-commercial use). The tests found some free programs to compete with commercial ones. Microsoft System File Checker can be used to check and repair damaged system files.
Some viruses disable System Restore and other important Windows tools like Task Manager and Command Prompt. Many such viruses can be removed by rebooting the computer, entering Windows safe mode with the network, and then using system tools or Microsoft Safety Scanner.
Hardware implants can be of any type, so there is no common way to detect them.
Website security scanning
Because malware also compromises compromised websites (by damaging reputation, blacklisting in search engines, etc.), Some websites offer vulnerability scans. The scan checks the website, detects malware, may log outdated software, and can report known security issues.
"Air gap" isolation or "Parallel Network"
As a last resort, computers can be protected from malware, and infected computers can be prevented from spreading reliable information, by applying "air gaps" (ie completely disconnecting them from all other networks). However, malware can still cross the air gap in some situations. For example, removable media can carry malware in the gap. In December 2013, researchers in Germany demonstrated one way that a clear air gap could be defeated.
"AirHopper", "BitWhisper", "GSMem" and "Fansmitter" are four techniques introduced by researchers who can leak data from gapped computers using electromagnetic, thermal and acoustic emissions.
Grayware
Grayware is a term applied to unwanted apps or files that are not classified as malware, but may aggravate computer performance and may pose a security risk.
This describes an app that behaves in a way that is both annoying or unwanted, but less serious or troublesome than malware. Grayware includes spyware, adware, cheaters, joke programs, remote access tools and other unwanted programs that can compromise computer performance or cause inconvenience. This term began to be used around 2004.
Other terms, potentially unwanted programs (PUPs) or potentially unwanted apps (PUAs), refer to apps that are deemed undesirable despite frequent downloads by users, possibly after failing to read the download agreement. PUP includes spyware, adware, and fraudulent dialers. Many security products classify unauthorized key makers as grayware, although they often carry real malware in addition to their real purpose.
Malwarebytes software maker lists several criteria to classify programs as PUP. Some types of adware (using stolen certificates) disable anti-malware and virus protection; technical solutions available.
History of viruses and worms
Before Internet access was widespread, viruses spread on personal computers by infecting bootable executable boot sector. By inserting a copy of itself into the machine code instructions inside this executable file, the virus causes itself to run whenever the program starts or the disk is booted. Early computer viruses were written for Apple II and Macintosh, but they became more widespread with the dominance of IBM's PC and MS-DOS systems. Viruses that can infect depend on users who exchange software or bootable floppy and thumb drive so that they spread rapidly among computer enthusiasts.
The first worm, a network-transmitted infection program, is not from a personal computer, but on a Unix multitask system. The first famous worm is the Internet Worm of 1988, which infects SunOS and VAX BSD systems. Unlike viruses, this worm does not incorporate itself into other programs. Instead, it exploits a security hole (vulnerability) in the network server program and starts running as a separate process. This same behavior is used by worms today as well.
With the advent of the Microsoft Windows platform in the 1990s, and the flexible macro of its application, it became possible to write infections codes in the Microsoft Word macro language and similar programs. This macro virus infects documents and templates rather than applications (executables), but relies on the fact that macros in Word documents are a form of executable code.
Academic research
The idea of ​​self-reproducing computer programs can be traced back to the early theory of complex automata operations. John von Neumann points out that in theory a program can reproduce itself. This is a plausible result in computability theory. Fred Cohen experimented with computer viruses and confirmed the Neumann postulate and investigated other malware traits such as detection and self-denial by using imperfect encryption. His doctoral dissertation is about computer viruses. The combination of cryptographic technology as part of the viral load, exploiting it for the purpose of attack was initialized and investigated since the mid-1990s, and included the idea of ​​ransomware and early evasion.
See also
References
External links
- Malicious Software in Curlie (based on DMOZ)
- Further Reading: Research and Document Paper on Malware at IDMARCH (Digital Media Int Archive))
- Advanced Malware Cleaners - Microsoft video
Source of the article : Wikipedia
0 Comments