Malicious code, types and trends–part 1

- Computer viruses are parasitic programs which are able to replicate themselves, attach themselves to other executables in the computer, and perform some unwanted and often malicious actions. A virus is not able to spread itself to another computers, some user actions are needed for it to infect a new computer. Downloading and running software from untrusted sources, inserting an USB drive without a previous scan–remember always disable the AutoRun feature for the drives as CD-ROMs, DVD-ROMs– , downloading and running emails or IM attachments even from known persons, can put you in the nasty situation to have an infected computer. Always when you deal with these situations and to prevent computer infections, scan before to run.

The best scanners in my opinion are multi-engine online scanners like virustotal.com or novirusthanks.org. The links of these scanners and many more are on the home page.

The main three features of a virus are :

- the replication mechanism search and find other executable files in your computer, check if the files are already infected–it has a special mechanism for that and if the file is clean then append itself to the file. It can append to the front, middle or end of the executable file thus changing the file size. This is also the reason why the number of new created viruses decreased in the last years, the AntiViruses has a very simple mechanism for “checking and compare” the files size –checksums at different period of times and a file bigger in size than at a previous date is a sign of infection.

A special category of viruses are “Bacteria” viruses, they replicate themselves so quickly and in a such percentage that the harddisk will run very soon out of free space.

- a trigger is designed to activate a task of the virus, as displaying strange messages,  deleting files, sending emails, begin the replicate process or whatever the programmer write in his malicious code. The trigger can be a certain date in calendar–formerly know as Time Bombs, the time when some event occur,  opening a certain program or other users actions. The trigger is very important for the virus spreading, because once infected the user will notice nothing strange in his computer, and will continue to spread the virus  without to suspect anything. Other reason of this delaying of infection symptoms is for viruses to hide its tracks, the user simply does not know when and how it get infected.

- the task or “payload” can differ from inoffensive ones like displaying joke messages, to deleting  or editing important system files like hosts file , deleting or editing registry entries, sometimes making the computer unbootable.

Using polymorphic engines, the viruses change the “virus signature”–their binary code each time when they infect a new computer making very difficult for AntiViruses to detect them using traditional “signature based” scanners.

Macro Viruses can attach themselves to the executable portion of a spreadsheet documents  in AutoOpen, AutoClose, AutoExit, or other file macros. The words processors are the most affected by these viruses, so to prevent the computer infections, always perform an AntiVirus  scan for documents received as emails attachments, or received by another methods from another computers.

- Computer worms are a special category of viruses with a very important feature added : they can spread themselves between computers, without the user interaction,  exploiting some networks vulnerabilities or facilities as network shares or remote file executions. It’s recommended by some experts to disable the Windows Remote Assistance feature, seeing this as a possibly vulnerability. Once it infect a computer it looks forward for other computers connected to the network–LAN or Internet continuing to search for possibly victims.

- Trojans are malicious executable files, masquerading as beneficial programs and tricking users to run their code. Very often they are embedded into other programs as setup or installers file and shared into the forums or blogs as pirated software(warez), so when the user run the installer of a program, the trojan will run in parallel infecting the computer. It’s a server-client software and once infecting a computer, it gives to the hacker where it connects the full power over the computer.

The hacker can see screenshots of the victims computer, can see the webcam in real time, can download and upload files or run other malware.

They are very trendy in nowdays and deserve a special attention, so a more detailed description of this type of malware will be given in the part 2 of this article.

-  Spyware is a malicious code able to gather private data from an infected computer and send it to the hacker. The data can be passwords, credit card numbers, login credentials and other private data. They accomplish their mission by using various mechanisms for decrypting passwords previously saved in web-browsers, keyloggers or screenshots. The computer user get infected by spyware in several ways by downloading and running “fake  antiviruses” or “registry cleaners” or visiting malicious sites through vulnerabilities in web browsers.

Clicking buttons on websites which claims they can scan the computer for “errors”, or clicking buttons with “You won ! Click here to claim your prize!” messages are very often sources for spyware infections. For preventing the computer infections the most important it’s not the AntiVirus or the AntiMalware installed, but the user behaviour on the Internet. Don’t be fooled by “too nice to be true” messages.

Sometimes, well-known companies spy and track their customers, gathering informations like visited websites, software they use in the computers and other informations for marketing purposes, but there is obvious privacy issues here.

- Adware is related to the advertising. They are installed in the computers without user knowledge using the same methods as Spyware.

- Rootkits are very elaborated piece of code, that are able to hide their presence in a computer, or hides files, processes or registry entries. They are hiding from AntiViruses and from the Operating System itself, acting most likely as a “part of the system”. Can be used very effective to hide the presence of a spyware or a trojan installed in the system.

Posted in Thoughts. Tagged with , , , , , .

Leave a Reply