Jumat, 16 Januari 2009

Antivirus software

Antivirus software (or anti-virus) is computer software used to identify and remove computer viruses, as well as many other types of harmful computer software, collectively referred to as malware. While the first antivirus software was designed exclusively to combat computer viruses (hence "antivirus"), modern antivirus software can protect computer systems against a wide range of malware, including worms, phishing attacks, rootkits, and Trojans.

Contents

1 History

History

See also: Timeline of notable computer viruses and worms

There are competing claims for the innovator of the first antivirus product. Perhaps the first publicly-known neutralization of a wild PC virus was performed by Bernt Fix (also Bernd) in early 1987. Fix neutralized an infection of the Vienna virus.[1] [2] The first edition of Polish antivirus software mks_vir was released in 1987; the program was only available with a Polish interface. Autumn 1988 saw antivirus software Dr. Solomon's Anti-Virus Toolkit released by Briton Alan Solomon. Also in 1988 AIDSTEST and AntiVir were released. By December 1990, the market had matured to the point of nineteen separate antivirus products being on sale including Norton AntiVirus and VirusScan from McAfee.

Peter Tippett made a number of contributions to the budding field of virus detection.[citation needed] He was an emergency-room doctor who also ran a computer software company. He had read an article about the Lehigh virus and questioned whether they would have similar characteristics to biological viruses that attack organisms. From an epidemiological viewpoint, he was able to determine how these viruses were affecting systems within the computer (the boot-sector was affected by the Brain virus, the .com files were affected by the Lehigh virus, and both .com and .exe files were affected by the Jerusalem virus). Tippett’s company Certus International Corp. then began to create anti-virus software programs. The company was sold in 1992 to Symantec Corp, and Tippett went to work for them, incorporating the software he had developed into Symantec’s product, Norton AntiVirus.[citation needed]

Before Internet connectivity was widespread, viruses were typically spread by infected floppy disks; antivirus software started to be used, but was updated relatively infrequently. At that time it was said, correctly, that viruses could not be spread by the readable content of emails, although executable attachments were as risky as programs on floppy disks. Virus checkers essentially had to check executable files, and the boot sectors of floppy and hard disks. As Internet usage became common, initially by making a modem connection when desired, viruses spread through the Internet, facilitated by powerful macros in word processors such as Microsoft Word; hitherto "documents" could not spread infection, although programs could. Later email programs, in particular Microsoft Outlook Express and Outlook, became able to execute program code from within a message's text by simply reading the message, or even previewing its content. Virus checkers now had to check many more types of file. As broadband always-on connections became the norm and more and more viruses were released, it became essential to update virus checkers more and more frequently; even then, a new virus could spread widely before it was detected, identified, a checker update released, and virus checkers round the world updated.

A very uncommon use of the term "antivirus" is to apply it to benign viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.[citation needed]

Identification methods

There are several methods which antivirus software can use to identify malware. Depending on the software, more than one method may be used.

Signature based detection is the most common method that antivirus software utilizes to identify malware. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.

Malicious activity detection is another way to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses

Heuristic-based detection is used by more advanced antivirus software. Like malicious activity detection, heuristics can be used to identify unknown viruses. This can be accomplished in one of two ways; file analysis and file emulation. File analysis is the process of searching a suspect file for virus-like instructions. For example, if a program has instructions to format the C drive, antivirus software might further investigate the file. One downside to this approach is that the computer may run slow if every file is analyzed. File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate actions.

Signature based detection

Signature based detection is the most common method that antivirus software uses to identify malware. This method is somewhat limited by the fact that it can only identify known viruses, unlike other methods.

When antivirus software scans a file for viruses, it checks the contents of a file against a dictionary of virus signatures. A virus signature is the viral code. So, saying you found a virus signature in a file is the same as saying you found the virus itself. If a virus signature is found in a file, the antivirus software can take action to remove the virus. Antivirus software will usually perform one or more of the following actions; quarantining, repairing, or deleting. Quarantining a file will make it inaccessible, and is usually the first action antivirus software will take if a malicious file is found. Encrypting the file is a good quarantining technique because it renders the file useless.

Sometimes a user wants to save the content of an infected file (because viruses can sometimes embed themselves in files, called injection.) To do this, antivirus software will attempt to repair the file. To do this, the software will try to remove the viral code from the file. Unfortunately, some viruses might damage the file upon injection, which means repairing will fail.

The third action antivirus software can take against a virus is deleting it. If a file repair operation files, usually the best thing to do is to just delete the file. Deleting the file is necessary if the entire file is a virus.

Because new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company. There, the virus can be analyzed and the signature added to the dictionary.

Signature-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to scan all files on the computer's hard disk at a set time and date.

Although the signature based approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rests with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. Viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.

Suspicious behavior monitoring

The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.

Unlike the signature based approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users may become desensitized to the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997[citation needed], since many more non-malicious program designs came to modify other .exe files without regard to this false positive issue.

Heuristics

Some more sophisticated antivirus software uses heuristic analysis to identify new malware. Two methods are used; file analysis and file emulation.

As described above, file analysis is the process by which antivirus software will analyze the instructions of a program. Based on the instructions, the software can determine whether or not the program is malicious. For example, if the file contains instructions to delete important system files, the file might be flagged as a virus. While this method is useful for identifying new viruses and variants, it can trigger many false alarms.

The second heuristic approach is file emulation. By the this approach, the target file is run in a virtual system environment, separate from the real system environment. The antivirus software would then log what actions the file takes in the virtual environment. If the actions are found to be damaging, the file will be marked a virus. But again, this method can trigger false alarms.

Virus removal tools

A virus removal tool is software for removing specific viruses from infected computers. Unlike complete antivirus scanners, they are usually not intended to detect and remove an extensive list of viruses; rather they are designed to remove specific viruses, usually more effectively than normal antivirus software. Examples of these tools include McAfee Stinger and the Microsoft Malicious Software Removal Tool (which is run automatically by Windows update). Many of these tools are available for free download.

These tools can sometimes do a better job of removing a specific virus than conventional antivirus software.

Issues of concern

Performance

Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection, the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).

Security

Antivirus programs can in themselves pose a security risk as they often run at the 'System' level of privileges and may hook the kernel - Both of these are necessary for the software to effectively do its job but it has a major downside. This can mean exploitation of the Antivirus program itself could lead to privilege escalation and create a severe security threat. Arguably, use of Antivirus software when compared to Principle of least privilege is largely ineffective when ramifications of the added software are taken into account.

When purchasing antivirus software, the agreement may include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription.[3] Norton Antivirus also renews subscriptions automatically by default. [4]

Some antivirus programs are actually spyware masquerading as antivirus software. It is best to double-check that the antivirus software which is being downloaded is actually a real antivirus program.[5]

Anti-virus manufacturers have been criticised for fear mongering by exaggerating the risk that virus pose to consumers.[6]

If an antivirus program is configured to immediately delete or quarantine infected files (or does this by default), false positives in essential files can render the operating system or some applications unusable.[7]

System related issues

It is important to note that one should not have more than one memory-resident antivirus software solution installed on a single computer at any given time. Otherwise, the computer may be crippled.[8] It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers.[9] Active antivirus protection may partially or completely prevent the installation of a major update.

Mobile devices

Viruses from the desktop and laptop world have either migrated to, or are assisted in their dispersal by mobile devices. Antivirus vendors are beginning to offer solutions for mobile handsets. These devices present significant challenges for antivirus software, such as processor constraints, memory constraints, and definitions and new signature updates to these mobile handsets.

Mobile handsets are now offered with a variety of interfaces and data connection capabilities. Consumers should carefully evaluate security products before deploying them on devices with a small form factor.

Solutions that are hardware-based, perhaps USB devices or SIM-based antivirus solutions, might work better in meeting the needs of mobile handset consumers. Technical evaluation and review on how deploying an antivirus solution on cellular mobile handsets should be considered as scanning process might impact other legitimate applications on the handheld.

SIM-based solutions with antivirus integrated on the small memory footprint might provide a basic solution to combat malware/viruses in protecting PIM and mobile user data. Solutions based on USB and Flash memory allow the user to swap and use these products with a range of hardware devices.

Effectiveness

Studies in December 2007 have shown that the effectiveness of Antivirus software is much reduced from what it was a few years ago, particularly against unknown or zero day threats. The German computer magazine c't found that detection rates for these threats had dropped to a frightening 20% to 30%, as compared to 40% to 50% only one year earlier. At that time only one product managed a detection rate above 50%.[10]

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a virus infection was present. The viruses of the day, written by amateurs, exhibited destructive behavior or popped-up screen messages. Modern viruses are often written by professionals, financed by criminal organizations.[11] It is not in their interests to make their viruses or crimeware evident, because their purpose is to create botnets or steal information for as long as possible without the user realizing this; consequently, they are often well-hidden. If an infected user has a less-than-effective antivirus product that says the computer is clean, then the virus may go undetected.

Traditional antivirus software solutions run virus scanners on schedule, on demand and some run scans in real time. If a virus or malware is located the suspect file is usually placed into a quarantine to terminate its chances of disrupting the system. Traditional antivirus solutions scan and compare against a publicised and regularly updated dictionary of malware otherwise known as a blacklist. Some antivirus solutions have additional options that employ an heuristicwhitelisting, this technology first checks if the file is trusted and only questioning those that are not.[12]wisdom of crowds, antivirus solutions backup other antivirus techniques by harnessing the intelligence and advice of a community of trusted users to protect each other. By providing these multiple layers of malware protection and combining them with other security software it is possible to have more effective protection from the latest zero day attack and the latest crimeware than previously was the case with just one layer of protection. engine which further examines the file to see if it is behaving in a similar manner to previous examples of malware. A new technology utilised by a few antivirus solutions is With the addition of

Alternatives to Antivirus software

Beside antivirus software, virus infection prevention can be achieved by other means such as implementing a network firewall, or utilizing system virtualization. However, only antivirus software is designed specifically to prevent from known virus infections.

Network Firewall

Network firewalls prevent unknown programs and Internet processes from having access to the system protected; they are not antivirus systems as such, and make no attempt to identify or remove anything, but protect against infection, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. Hence, it is designed to deal with broader system threats that come from network connections into the system.

System Virtualization

This method of prevention is done by virtualizing the working system. By doing so, the actual system prevents itself from being altered by any infection attempt made by viruses. In fact, it prevents from any alteration attempts to the whole system under virtualization. Such as the virtualization is, without any antivirus software the virtual system can still be infected and consequent damages or malicious actions the virus is meant to cause will still occur. But as soon as the system is shut down and restarted, all the changes and damages previously done to the virtual system will be reset. This way, the system is protected as well as the virus is removed. However, any damages to unprotected (or unvirtualized) data (usually another data drive/volume or data on the network connected to the system) will remain. So will the malicious effects it has caused such as data theft or the like.

See also

Notes

Diposting oleh di Tidak ada komentar:
Label:

Computer virus

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another when its host (some form of executable code) is taken to the target computer, for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. [1][2]

Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but most are surreptitious. This makes it hard for the average user to notice, find and disable and is why specialist anti-virus programs are now commonplace.

Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware.

Contents

History

The Creeper virus was first detected on ARPANET, the forerunner of the Internet in the early 1970s.[3] It propagated via the TENEX operating system and could make use of any connected modem to dial out to remote computers and infect them. It would display the message "I'M THE CREEPER : CATCH ME IF YOU CAN.". It is possible that the Reaper program, which appeared shortly after and sought out copies of the Creeper and deleted them, may have been written by the creator of the Creeper in a fit of regret.[3]

A common misconception is that a program called "Rother J" was the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created, but that claim is false. See the Timeline of notable computer viruses and worms for other earlier viruses. It was, however, the first virus to infect computers "in the home". Written in 1982 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.[4] This virus was originally a joke, created by a high school student and put onto a game on floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the computer and displaying a short poem beginning "Elk Cloner: The program with a personality".

The first PC virus in the wild was a boot sector virus called (c)Brain[5], created in 1986 by the Farooq Alvi Brothers, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.[original research?]

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. PCs of the era would attempt to boot first from a floppy if one had been left in the drive. This was the most successful infection strategy until floppy disks fell from favour and boot sector viruses were the most common in the wild for many years.[6].

Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS and modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's.[citation needed] Within the "pirate scene" of hobbyists trading illicit copies of retail software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.[original research?]

Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread onto Macintosh computers as well. Although the majority of these viruses did not have the ability to send infected e-mail, those viruses which did took advantage of the Microsoft Outlook COM interface.[citation needed]

Macro viruses pose unique problems for detection software[citation needed]. For example, some versions of Microsoft Word allowed macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. Additionally, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents".[7]

A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.

The newest species of the virus family is the cross-site scripting virus.[citation needed] The virus emerged from research and was academically demonstrated in 2005.[8] This virus utilizes cross-site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpaceYahoo. and

Infection strategies

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.

Nonresident viruses

Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.[9]

Resident viruses

Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.

Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach does not seem very successful, however.

Vectors and hosts

Viruses have targeted various types of transmission media or hosts. This list is not exhaustive:

PDFs, like HTML, may link to malicious code.[citation needed]

In operating systems that use file extensions to determine program associations (such as Microsoft Windows), the extensions may be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For example, a executable may be created named "picture.png.exe", in which the user sees only "picture.png" and therefore assumes that this file is an image and most likely is safe.

Methods to avoid detection

In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however, especially those which maintain and date Cyclic redundancy checks on file changes.

Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.

Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.

As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.

Avoiding bait files and other undesirable hosts

A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:

  • Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.
  • Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
  • Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.

A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.

Stealth

Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

Self-modification

Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

Encryption with a variable key

A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but that probably isn't required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.

An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.

Polymorphic code

Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate.[10]

Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.

Metamorphic code

To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.[11][12]

Vulnerability and countermeasures

The vulnerability of operating systems to viruses

Just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.

This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office suites. The users of Microsoft software (especially networking software such as Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses. Microsoft software is targeted by virus writers due to their desktop dominance, and is often criticized for including many errors and holes for virus writers to exploit. Integrated and non-integrated Microsoft applications (such as Microsoft Office) and applications with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking features) are also particularly vulnerable.

Although Windows is by far the most popular operating system for virus writers, some viruses also exist on other platforms. Any operating system that allows third-party programs to run can theoretically run viruses. Some operating systems are less secure than others. Unix-based OS's (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their own protected memory space.

An Internet based research revealed that there were cases when people willingly pressed a particular button to download a virus. Security analyst Didier Stevens ran a half year advertising campaign on Google AdWords which said "Is your PC virus-free? Get it infected here!". The result was 409 clicks.[13][14]

As of 2006, there are relatively few security exploits[15] targeting Mac OS X (with a Unix-based file system and kernel). The number of viruses for the older Apple operating systems, known as Mac OS Classic, varies greatly from source to source, with Apple stating that there are only four known viruses, and independent sources stating there are as many as 63 viruses. It is safe to say that Macs are less likely to be targeted because of low market share and thus a Mac-specific virus could only infect a small proportion of computers (making the effort less desirable). Virus vulnerability between Macs and Windows is a chief selling point, one that Apple uses in their Get a Mac advertising.[16]

Windows and Unix have similar scripting abilities, but while Unix natively blocks normal users from having access to make changes to the operating system environment, older copies of Windows such as Windows 95 and 98 do not. In 1997, when a virus for Linux was released – known as "Bliss" – leading antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows.[17] The Bliss virus may be considered characteristic of viruses – as opposed to worms – on Unix systems. Bliss requires that the user run it explicitly (so it is a trojan), and it can only infect programs that the user has the access to modify. Unlike Windows users, most Unix users do not log in as an administrator user except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked.[18]

The role of software development

Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies that produce large numbers of bugs will generally also produce potential exploits.

Anti-virus software and other preventive measures

Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and received e-mails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats.

One may also minimise the damage done by viruses by making regular backups of data (and the Operating Systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent). A notable exception to this rule is the Gammima virus, which propagates via infected removable media (specifically flash drives) [19] [20]. If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus (so long as a virus or infected file was not copied onto the CD/DVD). Likewise, an Operating System on a bootable can be used to start the computer if the installed Operating Systems become unusable. Another method is to use different Operating Systems on different file systems. A virus is not likely to affect both. Data backups can also be put on different file systems. For example, Linux requires specific software to write to NTFSext3, so if one normally uses MS Windows, the backups can be made on an ext3 partition using a Linux installation. partitions, so if one does not install such software and uses a separate installation of MS Windows to make the backups on an NTFS partition, the backup should remain safe from any Linux viruses. Likewise, MS Windows can not read file systems like

Recovery methods

Once a computer has been compromised by a virus, it is usually unsafe to continue using the same computer without completely reinstalling the operating system. However, there are a number of recovery options that exist after a computer has a virus. These actions depend on severity of the type of virus.

Virus removal

One possibility on Windows Me, Windows XP and Windows Vista is a tool known as System Restore, which restores the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files or also exists in previous restore points [21]. Some viruses, however, disable system restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor.

Administrators have the option to disable such tools from limited users for various reasons. The virus modifies the registry to do the same, except, when the Administrator is controlling the computer, it blocks all users from accessing the tools. When an infected tool activates it gives the message "Task Manager has been disabled by your administrator.", even if the user trying to open the program is the administrator.

Users running a Microsoft operating system can access Microsoft's website to run a free scan, provided they have their 20-digit registration number.

Operating system reinstallation

Reinstalling the operating system is another approach to virus removal. It involves simply reformatting the OS partition and installing the OS from its original media, or imaging the partition with a clean backup image (taken with Ghost or Acronis for example).

This method has the benefits of being simple to do, can be faster than running multiple anti-virus scans, and is guaranteed to remove any malware. Downsides include having to reinstall all other software as well as the operating system. User data can be backed up by booting off of a Live CD or putting the hard drive into another computer and booting from the other computer's operating system (though care must be taken not to transfer the virus to the new computer).

See also

References

  1. ^ http://www.bartleby.com/61/97/C0539700.html
  2. ^ http://www.actlab.utexas.edu/~aviva/compsec/virus/whatis.html
  3. ^ a b "Virus list". Retrieved on 2008-02-07.
  4. ^ Anick Jesdanun. "Prank starts 25 years of security woes"."The anniversary of a nuisance".
  5. ^ Boot sector virus repair
  6. ^ Dr. Solomon's Virus Encyclopedia, 1995, ISBN 1 897661 00 2, Abstract at http://vx.netlux.org/lib/aas10.html
  7. ^ Vesselin Bontchev. "Macro Virus Identification Problems". FRISK Software International.
  8. ^ Wade Alcorn. "The Cross-site Scripting Virus".
  9. ^ http://www.pcsecurityalert.com/pcsecurityalert-articles/what-is-a-computer-virus.htm
  10. ^ http://www.virusbtn.com/resources/glossary/polymorphic_virus.xml
  11. ^ Perriot, Fredrick; Peter Ferrie and Peter Szor (May 2002). "Striking Similarities" (PDF). Retrieved on September 9, 2007.
  12. ^ http://www.virusbtn.com/resources/glossary/metamorphic_virus.xml
  13. ^ Need a computer virus?- download now
  14. ^ http://blog.didierstevens.com/2007/05/07/is-your-pc-virus-free-get-it-infected-here/
  15. ^ "Malware Evolution: Mac OS X Vulnerabilities 2005-2006". Kaspersky Lab (2006-07-24). Retrieved on August 19, 2006.
  16. ^ Apple - Get a Mac
  17. ^ McAfee. "McAfee discovers first Linux virus". news article.
  18. ^ Axel Boldt. "Bliss, a Linux "virus"". news article.
  19. ^ "Symantec Security Summary - W32.Gammima.AG." http://www.symantec.com/security_response/writeup.jsp?docid=2007-082706-1742-99
  20. ^ "Yahoo Tech: Viruses! In! Space!" http://tech.yahoo.com/blogs/null/103826
  21. ^ "Symantec Security Summary - W32.Gammima.AG and removal details." http://www.symantec.com/security_response/writeup.jsp?docid=2007-082706-1742-99&tabid=3

Further reading

  • Mark Russinovich, Advanced Malware Cleaning video, Microsoft TechEd: IT Forum, November 2006
  • Szor, Peter (2005). The Art of Computer Virus Research and Defense. Boston: Addison-Wesley. ISBN 0321304543.
  • Jussi Parikka ( 2007) Digital Contagions. A Media Archaeology of Computer Viruses, Peter Lang: New York. Digital Formations-series

External links

Other texts

 The external links in this article may not follow Wikipedia's content policies or guidelines.
Please improve this article by removing excessive or inappropriate external links.
Diposting oleh di Tidak ada komentar:
Label:
Langganan: Postingan (Atom)