SecurityArena

Guide to Practical Info Security!

Who's Online

We have 5 guests online
CBK Applications and Systems Development Security (Part-2)
Print E-mail
Written by Administrator   
Friday, 10 July 2009 13:53
Article Index
CBK Applications and Systems Development Security (Part-2)
Capability Maturity Model Integration
Types of programming languages
OOP / Object-Oriented Programming
Structured analysis approach
Phases of object-oriented design and development
Cohesion and Coupling
Object Management Architecture
Mobile Code
Expert Systems
Malicious Software (Malware)
Attacks
All Pages
Page 11 of 12

Malicious Software (Malware)

There are several types of malicious code: viruses, worms, Trojan horses, and logic bombs. They usually are dormant until activated by an event the user or system initiates. Malicious code can be detected through the following clues:

  • File size increase
  • Many unexpected disk accesses
  • Change in update or modified timestamp
  • Sudden decrease of hard drive space
  • Unexpected and strange activity by applications

A “pseudo-flaw” is code inserted into an application on purpose to trap potential intruders.
Virus
A virus is a small application, or string of code, that infects applications. The main function of a virus is to reproduce, and it requires a host application to be able to do this. In other words, viruses cannot replicate on their own. A virus infects files by inserting or attaching a copy of itself to the file. The virus may also cause destruction by deleting system files, displaying graphics, reconfiguring systems, or overwhelming mail servers.

  • Boot sector viruses infect the boot sector of a computer and either move data within the boot sector or overwrite the sector with new information.
  • Compression viruses append themselves to executables on the system and compress them by using the user’s permissions.
  • A stealth virus hides the modifications that it has made to files or boot records. This can be accomplished by monitoring system functions used to read files or sectors and forging the results.
  • A polymorphic virus produces varied but operational copies of itself.
  • A multipart virus infects both the boot sector of a hard drive and executable files.
  • A self-garbling virus attempts to hide from antivirus software by garbling its own
  • code.
  • Meme viruses are not actual computer viruses but types of e-mail messages that are continually forwarded around the Internet.

EICAR test
An EICAR test is done with antivirus software by introducing a benign virus to test the detection and reaction activities of the software. Antivirus software products have an EICAR.com file and a signature that matches this file. After software configurations are completed, then you put this file on the system to test the antivirus product’s reactions to a virus.
Macros
Macros are programs written in Word Basic, Visual Basic, or VBScript and are usually used with Microsoft Office products. Macros automate tasks that users would otherwise have to carry out themselves. A macro virus is a virus written in one of these macro languages and is platform independent.
Worm
Worms are different from viruses in that they can reproduce on their own without a host application, and are self-contained programs. A worm can propagate itself by using email, TCP/IP, and disk drives. The definitions of a worm and virus are continually merging, and the distinction is becoming more blurred.
Logic Bomb
A logic bomb executes a program, or string of code, when a certain event happens or a date and time arrives.
Trojan Horse
A Trojan horse is a program that is disguised as another program. For example, a Trojan horse can be named Notepad.exe and have the same icon as the regular Notepad program. However, when a user executes Notepad.exe, it may still run the Notepad program for the user but in the background manipulate files or cause some other malicious acts. A host-based IDS can be configured to watch certain files and detect when they grow in size, which is often a sign of a Trojan horse. If the original Notepad.exe was 50KB in size and then grew to 2MB, it may indicate that a Trojan horse has infected that program.
Remote access Trojans are malicious programs that run on systems and allow intruders to access the system remotely. They mimic the functionality of legitimate remote control programs used for remote administration, but they are used for sinister purposes instead of helpful activities. They are usually hidden in some type of mobile code, such as in Java applets or ActiveX controls that are downloaded from web sites. The Trojan and attacker work in a client/server model. The remote access Trojan installed on the victim’s system is the server portion, and the attacker has a client piece. The server portion of the Trojan listens on a specific port, which allows a remote backdoor into the victim’s system.
Last Updated on Friday, 28 August 2009 05:04
 
Please register or login to add your comments to this article.
Banner
Copyright © 2010 Information Security Arena. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.
 
Joomla 1.5 Templates by Joomlashack