Cap5

Notas del editor

• #4: Viruses can be subdivided into six general classifications -- namely: boot viruses, file viruses, macro viruses, windows viruses, Script Viruses, and Java viruses cross-platform viruses.
• #5: There are so many types of Malware, but the most popular are Trojans, Worms, Jokes, Hacking tools and Virus Droppers
• #6: Por otro lado también vemos que la cantidad de virus se ha incrementado notablemente estos últimos años, y sobre todo aquellos virus macro que funcionan con las aplicaciones MS Office. Si analizamos la cantidad de virus existentes a lo largo de estos años, vamos a ver que desde que Internet se popularizó, los números han crecido abruptamente.
• #7: In the past 5 years, statistics show that virus medium have shifted from diskettes to E-mail and downloaded files.
• #8: Virus infections can be very expensive. Data and valuable time may be lost and sometimes even somebody’s job.
• #9: After enumerating the different types of Viruses and other Malware, let go into the details of each type. First on the list are Boot viruses. Boot sector viruses are those that infect the boot sector (or master boot record) on a computer system. They operate by overwriting or moving the original boot code and replacing it with infected boot code.
• #10: A clean computer system may be infected by a boot sector virus from an infected diskette or from a boot virus dropper program. A boot virus would usually infect the boot sector of floppy disks and the Master Boot Record (MBR) of hard disks. Note that infected non-bootable diskettes can still infect a computer system if used for booting up a computer.
• #11: The following are some of the symptoms recognizable if a computer system is infected with a boot virus. First, boot viruses usually reside in memory and they would often eat some of the available conventional memory. If the available conventional memory is a few kilobytes short of 640KB, then there is a likely chance that the system is infected with a boot virus. Second, since boot viruses will usually attempt to infect inserted diskettes in the computer system, occasional write-protect errors occur even when only reading floppy disks. Third, because a boot sector or MBR is limited to 512 bytes, boot viruses will sometimes hide part of themselves and maybe including the original boot sector unto other locations of the disk. These portions may sometimes be protected by marking them as bad sectors. Also, on other times, parts of the boot virus will be placed on infrequently used portions of the disk. When these portions are used or when the boot virus is not able to properly install itself, boot errors intermittently occur.
• #12: The following are some of the symptoms recognizable if a computer system is infected with a boot virus. First, boot viruses usually reside in memory and they would often eat some of the available conventional memory. If the available conventional memory is a few kilobytes short of 640KB, then there is a likely chance that the system is infected with a boot virus. Second, since boot viruses will usually attempt to infect inserted diskettes in the computer system, occasional write-protect errors occur even when only reading floppy disks. Third, because a boot sector or MBR is limited to 512 bytes, boot viruses will sometimes hide part of themselves and maybe including the original boot sector unto other locations of the disk. These portions may sometimes be protected by marking them as bad sectors. Also, on other times, parts of the boot virus will be placed on infrequently used portions of the disk. When these portions are used or when the boot virus is not able to properly install itself, boot errors intermittently occur.
• #13: The following are some of the symptoms recognizable if a computer system is infected with a boot virus. First, boot viruses usually reside in memory and they would often eat some of the available conventional memory. If the available conventional memory is a few kilobytes short of 640KB, then there is a likely chance that the system is infected with a boot virus. Second, since boot viruses will usually attempt to infect inserted diskettes in the computer system, occasional write-protect errors occur even when only reading floppy disks. Third, because a boot sector or MBR is limited to 512 bytes, boot viruses will sometimes hide part of themselves and maybe including the original boot sector unto other locations of the disk. These portions may sometimes be protected by marking them as bad sectors. Also, on other times, parts of the boot virus will be placed on infrequently used portions of the disk. When these portions are used or when the boot virus is not able to properly install itself, boot errors intermittently occur.
• #14: A Virus is a program which reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected program is executed. What basically happens is that the virus attaches a copy of itself usually at the bottom of the host program. Then the virus will save a copy of the original header and store it inside the virus body. This will now enable the virus to modify the header so that it could take control when the host is executed. This is usually a jump to the virus body when the program starts. After the virus executes, it passes control to the original host program and it does this by restoring the original header and returning control to the host program.
• #15: DOS file viruses may be attained from downloaded files or files from other users. If an infected file is executed in a computer system, it is allowed to infect other programs. DOS file viruses usually infect executable programs having the file extensions of .com and .exe.
• #16: In windows viruses, The virus usually modifies Header Information and then attaches itself as a new section of the Windows executable
• #17: Bubbleboy is the first virus that is able to propagate itself via e-mail, without having to open an attachment. It achieves this by exploiting security holes that exist in the treatment of ActiveX controls.
• #18: As with other viruses, there are some symptoms that are visible when a macro virus is inside a computer system. First, infected files increase in size. This may not be obvious because it is normal for documents to increase in size, especially if we are editing or updating them. Furthermore, the application will sometimes asks the user to save a document even when it was not modified. Note also that only templates could contain macro codes. Therefore, in a system infected by a macro virus, the file format when saving is Template instead of Document. If this happens and you have not placed any macro codes or your company is not using any macro codes in your documents, then your document are suspect to being infected with macro viruses.
• #20: Again, with MS Word97 documents, the same techniques apply. And if you are familiar with your standard documents, you should be able to determine if there is a new module in any of your documents. If an unusual module exists on your documents, it is possible that they are infected by a macro virus. Further inspection inside the module would indicate whether the document is indeed suspicious (I.e. it overrides AutoOpen, AutoNew, and/or AutoClose).
• #21: DFVIEW.EXE may be used for any MS office files, including MS Word documents, MS Excel spreadsheets, and MS Powerpoint presentations to check for possible macro virus infections. In using DFVIEW.EXE with a normal MS Word95 document, notice that there are no macro codes or the macro codes are that of user macros. On the other hand, using DFVIEW.EXE with an infected document shows that the macro codes are malicious and possibly destructive. Most macro viruses will override AutoOpen, AutoNew, and AutoClose.
• #22: To control the possible spread of macro viruses in your system, the macro virus protection should be enabled. This is available through the Tools menu, under options in the General settings of MS Office 95/97. For MS Office 2000, this is set by selecting medium or high security level through the Tools menu, under Macro in the Security settings. While macro virus protection is enabled or set to medium security, MS Office will prompt the user when macro codes are existing in a document, spreadsheet, or presentation. Choose disable execution of macros if you are not sure or if you are not aware of any macro codes in your documents. When high security is selected, macro codes are automatically disabled. Additionally, macro codes may be viewed by pressing Alt-F11 or choosing to view the macro in the Visual Basic Editor under the Tools|Macro menu item. If an unexpected macro is found, the suspect document may be infected with a macro virus.
• #23: For MS Excel macro viruses, when an infected Excel sheet is opened, it will usually create an Excel file containing the macro codes in the startup (XLSTART) directory. From there, the virus could then reproduce copies of itself unto other sheets accessed by MS Excel.
• #24: The same checking for MS Word95 applies for MS Excel95 in checking for possible macro virus infections using DFVIEW.EXE. Notice that infected files will usually contain several entries under the _VBA_PROJECT. If these modules will be checked, as with MS Word95 macro viruses, we would usually find either an AutoOpen, AutoNew, and/or AutoClose macro.
• #25: The most expensive virus cleanup of 1999 is the Melissa Virus. It has totalled to $80 million as a cleanup.
• #27: One of the more popular Windows virus is the CIH virus. Its actually the number one virus in terms of number of users infected.
• #28: Some email messages or web pages could contain malicious scripts. These malicious scripts would utilize the automatic scripting capabilities of some Web and Mail browsers. This enables them to replicate to other mail recipients or web page users.
• #29: Script Viruses may be embedded inside Mail Messages or Web Pages. Let ’ s first take the case for Scripts in Web Pages. To check if the web page contains any malicious codes, we could view its source and analyze it. All web pages will have their corresponding source code. An engineer should be able to discern whether the codes are malicious or not. To help in determining whether the script codes are malicious or not, familiarity with VBScript and JavaScript would be needed. If you are unsure, you could submit the sample to a virus doctor for verification.
• #31: Upon clicking the “Don’t touch this!” button t his hostile Java applet clogs your CPU to waste system resources by opening an infinite number of Windows just like in the screenshot. The only way to terminate it is by terminating the browser.
• #32: There are two types of Java Viruses. 99% of the Java Viruses found are Java Applets and are oftentimes merely annoying and not exactly destructive. The remaining Java Viruses are full Java Applications which are capable of doing virtually anything other executable programs can do. These viruses will infect *.class files.
• #33: To prevent JAVA viruses from inadvertently executing on your system, you could select a high security setting in the Internet Options of your web browser. These way, you will only be able to run JAVA code from trusted sites.
• #34: A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. The difference between Trojans and Worms is that Trojans rely on users for their propagation while Worms take it on their own hands to spread copies of themselves. The difference between a worm and a virus is that a worm replicates itself in its entirety -- creating exact copies of itself without the need of a carrier program which a virus uses.
• #35: Another Malware that was wide spread last year was the Explorezip worm. It is fast spreading and is capable of truncating files to a size of 0 bytes.
• #36: A auto-spamming worm. First found in June 9th, 1999 When executed, it would access Microsoft Outlook, Outlook Express or Exchange , automatically replies and sends itself out to any incoming email message. The body of the email message may also contain the following text: Hi [Recipient Name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye
• #37: Net Hack tools are malicious codes that have the purpose of controlling computers remotely and to exploit some backdoors in some systems. This will usually allow a remote hacker to take control of virtually everything in the computer system. If there are any sensitive information in the system, they could easily be seen by the remote hacker and do with them whatever he wishes.
• #38: Once a remote user takes control of a system, virtually everything could be manipulated: including, but not limited to, the file system, the video system, the registry, other applications, the CDROM drive, passwords, and other possibly sensitive data. An example is the Netbus hacking tool which can do everything that is in the screen shot above.
• #39: Net Hack tools are malicious codes that have the purpose of controlling computers remotely and to exploit some backdoors in some systems. This will usually allow a remote hacker to take control of virtually everything in the computer system. If there are any sensitive information in the system, they could easily be seen by the remote hacker and do with them whatever he wishes.
• #40: One particular example is the JOKE_PUZZLE program which rearranges the screen and the user should solve the puzzle before he is allowed to continue his work. An inexperienced user who cannot solve the puzzle may reboot his computer and therefore lose any unsaved data.
• #46: [Leer la información utilizando sentencias más claras] La ecuación parece cerrar, cierto? Sin embargo vemos que no es tan sencillo como parece. Veamos algunos otros números...
• #47: El problema solía ser un problema básicamente de virus y algunos troyanos peligrosos. Pero luego se popularizaron los gusanos, que logran distribuirse a gran velocidad por todo el mundo. Y aparecieron muchos programas agentes, tipo BackOrifice y NetBus. Y ahora también tenemos reportes de nuevas amenazas como scripts de VB y códigos de Java y ActiveX. Y los hoax y el spam (mensajes de correo electrónico no deseados) también forman parte del entorno de los virus. [Explicar brevemente qué es un hoax] Para destacar en esta diapositiva podemos mencionar dos cosas. Una es que no podemos negar una eterna evolución de los virus para adaptarse a las nuevas tecnologías y tendencias. Y la otra es negar que el problema no este ya más relacionada con el “contenido”. De hecho vemos que ahora el problema no está más en el archivo adjunto independiente que me enviaban con un mensaje de texto. Ahora el problema puede estar con el script o rutina maliciosa que me envían en un mensaje haciendo publicidad que yo nunca solicité. Entonces el problema no es sólo un problema de virus, es también un problema de “contenido”.
• #48: Ahora, uds se podrían preguntar que es entonces el contenido realmente. Buena pregunta. Intentemos responderla. [Leer cuidadosamente las sentencias dando idea de que todo se fue complicando con el correr del tiempo]
• #49: Virus usually spread in four ways : 1.) When a user save an infected file in a diskette and then access it in another computer therefore infecting the computer with the virus. 2.) File sharing in a LAN environment. 3.) When a user execute an email attachment that contains virus. 4.) When downloading files from a website that contains malicious java applet or active x controls.