Malware (Malicious Code) Full Guide (Viruses,worms,etc)
In this article, I'll be discussing a series of lessons on Cyber Security, with today's topic focusing on malicious code, which is also known as malware.
What is Malicious Code (Malware Definition)?
Malicious code or what malware is software that is written for the purpose of intentionally causing some sort of unanticipated or undesirable effects.
Note that the terms malicious code, rogue program, and malware all refer to the same underlying concept, and I will hence use these terms interchangeably.
From a conceptual perspective, one of the most critical things to understand about malicious code is that it is only distinguished from other types of software programs by the intent of its developer.
If a developer writes a software program, with the goal of causing harm to other people or systems, or at least problems for other people or systems, then we can classify that software program as malicious.
Since the only conceptual difference between malicious software programs and non-malicious software programs is the intent of the developer, it's important to realize that malicious programs can do anything that a normal non-malicious program can do.
Just as with a normal non-malicious program, malicious software programs can access and use system resources and can alter both data and other programs residing on a system if that's what they've been designed to do.
Although many people have the impression that malicious code is a relatively new concept.
In fact, researchers have been aware of malware threats for many many decades. virus behavior, for example, was described by Willis were as a threat to computing systems in his 1970 study for the defense Science Board. Remarkably, many of the concerns and threats that were documented in this early report are still perfectly valid even today.
Many different types of software programs can be classified as malware, with some of the most common types of malware being viruses, worms, Trojan horses, zombie programs, logic bombs, time bombs, rabbits, trap doors, and script attacks.
Perhaps one of the most well-known types of malware is a virus.
What is Virus?
In the context of information security. A virus is a hidden, self-replicating computer program that propagates itself by infecting other programs or system memory.
Note that viruses can be broadly classified into two groups, transient viruses, and resident viruses.
transient viruses are those viruses that are active only when their host programs are executing.
While resident viruses are those viruses that establish themselves in system memory and have the ability to remain active even after their host programs have been terminated.
We'll examine viruses more closely a bit later.
What are worms?
Although a worm and a virus have many similarities, a malware worm is distinguished from a virus by its ability to propagate a complete working version of itself onto another machine or device by means of a network.
What is a Trojan Horse?
Trojan horse is a computing program that appears to have a useful function, but which also has a hidden and malicious purpose.
Trojan horses are commonly able to evade security mechanisms by exploiting the legitimate authority of the user who runs the program.
Imagine, for example, that you downloaded a game app for your smartphone. When you launch the app, you're able to play the game. But unbeknownst to you, the app has secretly made a copy of all of the information in your contacts list and has transmitted that information to a remote server.
Aside from viruses, worms, and Trojan horses, several other types of malicious code exist as
What is zombie?
for example, is a malicious program that is designed to allow a computer to be controlled remotely by a master machine.
computers that have been turned into zombies are often used by malicious parties for purposes such as launching a distributed denial-of-service attack against a target organization or network.
What is the Logic Bomb?
a logic bomb is a type of malware program that is designed to activate itself when certain conditions are met.
One of the most popular types of logic bombs is called a time bomb, which is a logic bomb that activates at a specified date or time.
Time bombs can be used by malicious parties for purposes such as launching a distributed denial-of-service attack, on a holiday, or on the anniversary of some event.
What are Rabbits?
With respect to viruses and worms, a rabbit is a virus or worm that replicates itself without limit for the purpose of draining or exhausting system resources.
In the real world, rabbits are well known for their productivity to reproduce in large numbers. If the population of rabbits is constrained to an area with a limited supply of resources, eventually the rapidly growing number of rabbits will consume all of the available resources.
One of the characteristics of computer systems is that they also have limited resources. And I hope this example makes it clear why a virus or worm that replicates itself without limit is known as a rabbit.
What are Trap doors or Backdoors?
Trap doors, which are also known as backdoors are hidden software devices that are installed by a malicious party in order to gain surreptitious access to a computer system while avoiding or circumventing the system security mechanisms.
What are Script attacks?
When a user loads a webpage. Script attacks capitalize on browser vulnerabilities, or the web's same-origin policy in order to gain access to sensitive or private information. Script attacks are quite popular and have been found by recent research to account for at least 80% of the security vulnerabilities on the web.
There are, of course, many other varieties of malicious code. But the nine types of malware described previously provide a solid representative sample of current malicious code based threats.
Although many malware programs are indiscriminate, that is, they are not selective in the people or systems that they attack. It's important to realize that there are also many targeted malicious programs that have been written for a very specific purpose.
What is a Targeted Malicious Code?
Targeted malicious code might be designed to attack a particular system, organization, application, or network, or to carry out a very specific malicious task.
An excellent example of targeted malicious code is the Stuxnet worm, which was specifically designed to infect the programmable logic controllers on the Siemens industrial control systems that we're being used by the Iranian government in its efforts to enrich uranium.
A useful way of studying and classifying malicious software programs is to evaluate those programs from four different perspectives.
- we can consider the extent to which a malware program causes harm. And we can accomplish this by determining how the program negatively impacts users or systems with respect to harm. Remember that malware programs often run with the full authority of the user. And if a user has high-level system access, malware programs can hence cause essentially unlimited harm to a system.
- we can consider the way in which a malware program transmits or propagates itself. And we can accomplish this by determining how the program replicates and spreads. malicious programs can potentially transmit and propagate themselves in many different ways, including via files, downloads, documents, scripts, networks, and so forth.
- we can consider the ways in which a malware program becomes active. And we can accomplish this by determining how the program establishes itself and gains control of system resources. Many different activation vectors exist for malicious programs. And most of these exploits some sort of system vulnerability.
- we can consider the stealth characteristics of a malware program by determining how the program hides itself to avoid detection. In order for a malicious program to survive, it must avoid being detected not only during the installation process but also while it is executing and while it is dormant or inactive. Further, once a malicious program has been detected, instances of the program must be removed faster. The program can propagate itself if we hope to cleanse the infection.
As promised, we will now take a closer look at how computer viruses work.
Recall that a virus is a hidden self-replicating computer program that propagates by attaching itself to other programs. This means that the host program to which a virus is attached must be executed at least once in order for the virus to spread. Recall also that a certain type of virus known as a resonant virus, can establish itself in system memory and can remain active without its host.
For this reason, even a single execution of the host program can be sufficient to spread the virus widely.
Let's consider a few examples of virus propagation.
First, imagine that a virus is attached to a program installer file. A user will hence activate the virus when he or she runs the installer program. After being activated, the virus might install itself in all of the programs currently executing in the system's memory. From this point, the virus will spread further whenever any of the infected programs is executed.
As another example, imagine that a virus is contained in an attachment to an email message. In this case, the user might activate the virus simply by opening the attachment. From this point the virus can install itself and spread throughout the user's machine.
Classification of Viruses
viruses can be classified into four different categories according to the ways in which they attach themselves to their host programs.
Appending viruses and appending virus attaches itself either to the beginning or to the end of a host programs code.
Most often, appending viruses insert themselves into an executable host program in front of the first legitimate program instruction. In this way, the virus code will run whenever the program is executed.
A surrounding virus attaches itself to its host program in such a way that it will execute both before and after the host program executes.
developers of surrounding viruses often use this strategy in order to allow the virus to cover its tracks. That is, the component of the virus that runs after its host program has finished executing can be used to mask the presence of the virus.
Integrating viruses incorporate themselves into the middle of host programs legitimate program instructions, thus defeating antivirus software that looks for virus signatures at the beginning or end of an executable program file.
Replacing viruses, which are designed to entirely replace the real, legitimate code of the infected program file.
The Perfect Virus...
From the perspective of someone wishing to design a virus, there are several highly desirable virus characteristics that the designer can seek to incorporate into his or her virus.
An ideal virus should be difficult to detect, not easy to destroy or deactivate, and should propagate itself widely and rapidly.
Further, an ideal virus should be able to reinfect programs that have previously been infected and should be machine and operating system independent.
With respect to the latter of these considerations, imagine how effective a virus would be if it had the capacity to infect any type of device, including smartphones, tablets, PCs, and servers, running any type of operating system, be it Windows, Mac OS, Linux, Unix, iOS, Android, or so forth.
Now that we know a bit about how computer viruses attach themselves to their host programs, we can consider the question of
where to hide a virus?
- viruses can be hidden in many places on a computer system, including the boot sector, in the system's memory, in application programs, in library files, and in many other widely shared files and programs. arguably the best place for a virus to be hidden is in a machine's boot sector.
- A boot sector is a region of a storage device that contains program code, which allows a computer to load its operating system. When a computer is powered on the BIOS loads the program code from the boot sector into the computer's memory. The computer then executes To this program code in order to initialize its operating system and complete the boot-up process.
- Since virus-detection programs are application programs, the operating system must be running in order for a virus detection program to be running. by hiding a virus in the computer's boot sector, then, the virus may be able to avoid detection, since it will have been activated before any virus detection programs were activated.
- Another common place for viruses to be hidden is in system memory. on modern computing devices, it is common for hundreds of programs to be executed upon system startup.
- If any of these programs are infected with a virus, the virus might propagate by attaching itself to the other programs currently contained in the system's memory. In this way, even if the original host program is terminated, the virus will continue to be active.
Operating System programs or common user programs are good targets for this type of virus since such programs are likely to be activated often. In addition to hiding viruses in the boot sector or in system memory, viruses can also be hidden in application programs.
There are certain applications that allow users to write and execute macros, and these macro-enabled applications have proven to be common targets for viruses.
- Since clever virus developers have been able to exploit security flaws in those applications in order to propagate and run malicious code. library files such as DLL files are also a common target for viruses because they are used by or shared by many different programs. When any of the programs that rely upon one of these shared library files are activated, the virus in the infected library file will also become active, thus allowing it to rapidly propagate. Other widely shared files and programs may also be good targets for a virus.
It's possible for example, for a virus to be hidden inside of a data set that is shared by many users, thus allowing the virus to spread quickly.
- Another interesting place to hide malicious code is inside digital images such as JPEG files. There is in fact an entire science, known as steganography, which examines how information can be concealed. Many methods and tools have been developed in recent years, which allow malicious code and other information to be secretly hidden inside common types of computer files. And these files are thus good targets for viruses.
- Finally, and amusingly, a good place to hide a virus might be inside of a disreputable virus detection program. Users who acquire and activate such a program in the hopes of preventing a viral infection may by doing so, actually cause their system to become infected.
Virus Signatures and its Pattern
In order to understand how viruses are detected, we first need to understand that viruses leave behind a unique signature, which can be defined by one or more patterns.
If a virus is to survive a hard reboot, that is a reboot in which the power to the computer is switched off and then switched back on, it must be stored somewhere on the computer's non-volatile storage device, such as a hard disk or a solid-state drive.
This creates a storage pattern for the virus. Further, a virus interacts with system resources in a particular way while the virus is running.
And these interactions create an execution pattern for the virus. Finally, a virus spreads or propagates itself in a particular way, thus creating a distribution pattern for the virus.
virus scanning programs use one or more of these types of patterns in order to detect viruses. Such software programs may scan the system's memory, or its hard disks or solid-state drives, including the boot sector in an effort to detect any virus activity on the machine. Additionally, virus scanners can use techniques such as file checksums, in order to detect changes to important files.
Virus Scanning and Removing Programs...
When a virus scanning program finds a virus, it will typically try to remove it by extracting all of the pieces of the virus from its host programs and from the system's memory.
One of the major challenges faced by virus scanning programs is polymorphic viruses, which are designed to modify their signatures as they execute in order to avoid detection.
Note that there are typically hundreds of new viruses identified every day. And as such a virus scanner and its database of virus signatures must be kept up to date in order to be effective.
Virus Removal and Post-infection Recovery
fixing a system after it has been infected by a virus might be accomplished in a number of different ways, depending upon the virus and the nature of the damage that it is done to the system.
Ideally, we would want to disinfect the system by removing the virus from any infected programs without damaging the programs themselves. Unfortunately, this can only be accomplished if the virus code can be separated from the program code. And if the virus did not corrupt the program.
If the virus cannot be separated from the program file, then the file must be permanently deleted. If one or more files is deleted by the virus itself or are deleted in the process of disinfecting the system, then restoring the system to its original state will require that we recover or replace all of the deleted files.
This emphasizes the need to maintain file backups, especially of important files. Without backup copies of the files that have been deleted either by the virus itself or as a consequence of the disinfection process, it will be extremely difficult to restore a system to its original state.
identifying a digital object has been modified by malware
Among the most important tools that we have available for identifying when a digital object has been modified by malware, our error-detecting codes there are several varieties of these error detecting codes, including parody bits, checksums, and cryptographic checksums, which, when used properly, can help us to detect when a program or file has been surreptitiously altered by a malware program.
A parity bit or a check bit is the simplest form of error detecting code. The process involves appending a single bit of data, either a zero or a one to a string of binary data, in order to indicate whether the number of ones in the string is even or odd.
If the binary data in the string has been altered, and there is a 50% chance that the parity bit will detect the modification, a checksum is a value that is computed by running a file through a hash function or a checksum algorithm.
Because the hash function or checksum algorithm will produce different values for different combinations of input data. the integrity of a file can be verified by computing the file's checksum and comparing the result to a known checksum value. If the two values differ, then we can be reasonably sure that the file has been modified.
The developers of malware are, of course, generally quite clever, and many of these clever developers have found ways of modifying programs or files, such that they generate the same checksum value as the unmodified program or file, thus making it appear as if the program or file has not been altered.
For this reason, a cryptographic hash function can be used to generate a checksum value that has an extremely low probability of being duplicated after a file has been modified. It is also important to note that, under certain circumstances, error-correcting codes can be used to restore programs or files that have been surreptitiously altered to their original state without requiring a clean, unmodified copy of the original object.
Reducing Harm from Malware Infections
In addition to checking whether digital objects such as programs or files have been surreptitiously modified, there are also several mechanisms that can be used to reduce or contain the harm caused by a malware infection.
First among these is the principle of least privilege. This principle states that users should have access to the minimum number of digital objects and system capabilities necessary in order to perform the tasks that they need to perform.
A malware program that runs with the authority of a system administrator has the potential to cause much more harm than if the same malware program were run with the authority granted to a low-level user account.
Second among these mechanisms is the principle of complete mediation. This principle states that we should check whether a user is allowed to use a digital object each and every time. Access to the digital object is requested.
Finally, we have the mechanism of memory separation. When implemented properly, memory separation ensures that each user's digital objects are isolated in memory from other users' objects, thus preventing cross-contamination. It is important to realize that most single-user systems, such as home computers, laptops, tablets, and so forth, are not properly configured to capitalize on hierarchical code sensitivity and capability.
Since most people use a single user account on their personal computing devices, which has high-level administrative access to the system.
How to Be Secure from Malware..?
Just as with Malware infections, adopting proper malware hygiene can help us to substantially improve our chances of avoiding a malware infection.
- It's good practice to use up to date anti-malware software that has been supplied by a trustworthy vendor.
- New or unknown software programs should always be tested on an isolated device if possible, especially if the software is to be used in an organizational environment.
- Users should be trained to recognize and open only safe attachments and data files.
- Users should be made aware that any website might be harmful, even if the website has been safe in the past.
- If restoration of the system becomes necessary, it's important to keep a recoverable system image in a safe place and to have backup copies of executable system files available.
Interesting facts about Malware
As food for thought in our consideration of malicious code, I would like to discuss some truths about malware.
- Malware can infect any platform.
- Malware programs can modify hidden and read-only files.
- Malware can appear anywhere in a system.
- Malware can spread anywhere where file or data sharing occurs.
- It is not possible for malware to remain in volatile memory after the power to a system has been completely switched off.
- It is possible for malware to infect the software that runs hardware devices.
- Malware can be malevolent, benign, or benevolent.
and Happy Hacking...