Anti-malware. Counteracting antivirus programs. Classifications of antivirus programs

13.03.2022

A necessary task for virus writers and cyber criminals is to inject a virus, worm or Trojan into a victim computer or mobile phone. This goal is achieved in various ways, which are divided into two main categories:

social engineering (the term “social engineering” is also used - tracing paper from the English “social engineering”);
technical methods of introducing malicious code into an infected system without the user’s knowledge.

Often these methods are used simultaneously. At the same time, special measures to counteract antivirus programs are also often used.

Social engineering

Social engineering methods somehow force the user to launch an infected file or open a link to an infected website. These methods are used not only by numerous email worms, but also by other types of malicious software.

The task of hackers and virus writers is to attract the user’s attention to an infected file (or an HTTP link to an infected file), to interest the user, and to force him to click on the file (or a link to a file). A “classic of the genre” is the LoveLetter email worm, which was sensational in May 2000, and still remains the leader in terms of the scale of financial damage caused, according to data from Computer Economics. The message that the worm displayed on the screen looked like this:

Many people reacted to the “I LOVE YOU” confession, and as a result, the mail servers of large companies could not withstand the load - the worm sent copies of itself to all contacts in the address book every time an attached VBS file was opened.

The Mydoom mail worm, which exploded on the Internet in January 2004, used texts that imitated technical messages from a mail server.

It is also worth mentioning the Swen worm, which posed as a message from Microsoft and disguised itself as a patch that eliminated a number of new vulnerabilities in Windows (it is not surprising that many users succumbed to the call to install “another patch from Microsoft”).

There are also incidents, one of which occurred in November 2005. In one of the versions of the Sober worm it was reported that the German criminal police were investigating cases of visiting illegal websites. This letter ended up in the hands of a child pornographer who mistook it for an official letter and obediently surrendered to the authorities.

Recently, it is not files attached to emails that have gained particular popularity, but rather links to files located on an infected website. A message is sent to a potential victim - by mail, via ICQ or another pager, or less often - via Internet chats IRC (in the case of mobile viruses, the usual delivery method is an SMS message). The message contains some attractive text that entices the unsuspecting user to click on the link. This method of penetrating victim computers is by far the most popular and effective, as it allows you to bypass vigilant anti-virus filters on mail servers.

The capabilities of file-sharing networks (P2P networks) are also used. A worm or Trojan is posted on a P2P network under a variety of tasty names, for example:

AIM & AOL Password Hacker.exe
Microsoft CD Key Generator.exe
PornStar3D.exe
play station emulator crack.exe

While searching for new programs, users of P2P networks come across these names, download the files and launch them for execution.

“Scams” are also quite popular, when the victim is given a free utility or instructions for hacking various payment systems. For example, they offer to get free access to the Internet or a mobile operator, download a credit card number generator, increase the amount of money in your personal Internet wallet, etc. Naturally, victims of such fraud are unlikely to contact law enforcement agencies (after all, in fact, they themselves tried to make money through fraudulent means), and Internet criminals take full advantage of this.

An unknown attacker from Russia used an unusual method of deception in 2005-2006. The Trojan program was sent to addresses found on the job.ru website, which specializes in employment and personnel search. Some of those who published their resumes there allegedly received a job offer with a file attached to the letter, which they were asked to open and familiarize themselves with its contents. The file was, naturally, a Trojan horse. It is also interesting that the attack was carried out mainly on corporate email addresses. The calculation was apparently based on the fact that company employees were unlikely to report the source of infection. And so it happened - Kaspersky Lab specialists were unable to obtain clear information about the method of penetration of the Trojan program into user computers for more than six months.

There are also quite exotic cases, for example, a letter with an attached document in which a bank client is asked to confirm (or rather, report) their access codes - print the document, fill out the attached form and then fax it to the phone number specified in the letter.

Another unusual case of spyware being delivered to people's homes occurred in Japan in the fall of 2005. Some attackers sent CDs infected with a Trojan spyware to the home addresses (city, street, house) of clients of one of the Japanese banks. In this case, information was used from the previously stolen client database of this very bank.

Implementation technologies

These technologies are used by attackers to sneak malicious code into the system without attracting the attention of the computer owner. This is done through security vulnerabilities in operating systems and software. The presence of vulnerabilities allows a network worm or Trojan program manufactured by an attacker to penetrate a victim computer and launch itself for execution.

Vulnerabilities are, in fact, errors in the code or in the logic of the operation of various programs. Modern operating systems and applications have a complex structure and extensive functionality, and it is simply impossible to avoid errors in their design and development. This is what virus writers and computer attackers take advantage of.

Vulnerabilities in Outlook email clients were exploited by the Nimda and Aliz email worms. In order to launch the worm file, it was enough to open the infected letter or simply hover over it in the preview window.

Malware also actively exploited vulnerabilities in the network components of operating systems. The worms CodeRed, Sasser, Slammer, Lovesan (Blaster) and many other worms running under Windows OS used such vulnerabilities to spread. Linux systems also came under attack - the Ramen and Slapper worms penetrated computers through vulnerabilities in this operating environment and applications for it.

In recent years, one of the most popular methods of infection has been the injection of malicious code through web pages. This often exploits vulnerabilities in Internet browsers. An infected file and a script program that exploits a vulnerability in the browser are placed on a web page. When a user visits an infected page, a script program is triggered, which, through a vulnerability, downloads the infected file to the computer and launches it there for execution. As a result, to infect a large number of computers, it is enough to lure as many users as possible to such a web page. This is achieved in various ways, for example, by sending spam indicating the page address, sending similar messages through Internet pagers, sometimes even search engines are used for this. The infected page contains a variety of text, which is sooner or later calculated by search engines - and the link to this page appears in the list of other pages in the search results.

A separate class are Trojan programs that are designed to download and run other Trojan programs. Typically, these Trojans, which are very small in size, in one way or another (for example, using another vulnerability in the system) are “slipped” onto the victim computer, and then independently download from the Internet and install other malicious components into the system. Often such Trojan programs change browser settings to the most insecure ones in order to “make the road easier” for other Trojans.

Vulnerabilities that become known are quickly corrected by development companies, but information constantly appears about new vulnerabilities, which are immediately beginning to be used by numerous hackers and virus writers. Many Trojan “bots” use new vulnerabilities to increase their numbers, and new errors in Microsoft Office immediately begin to be used to introduce new Trojan programs into computers. At the same time, unfortunately, there is a tendency to shorten the time interval between the appearance of information about the next vulnerability and the beginning of its use by worms and Trojans. As a result, vulnerable software companies and antivirus software developers find themselves under time pressure. The first need to fix the error as quickly as possible, test the result (usually called a “patch” or “patch”) and distribute it to users, and the second need to immediately release a tool for detecting and blocking objects (files, network packets) that exploit the vulnerability.

Simultaneous use of implementation technologies and social engineering methods

Quite often, computer attackers use both methods at once. The method of social engineering is to attract the attention of a potential victim, and the technical method is to increase the likelihood of an infected object penetrating the system.

For example, the Mimail email worm spread as an attachment to an email. In order for the user to pay attention to the letter, specially designed text was inserted into it, and to launch a copy of the worm from the ZIP archive attached to the letter, a vulnerability in the Internet Explorer browser was used. As a result, when opening a file from an archive, the worm created a copy of itself on the disk and launched it for execution without any system warnings or additional user actions. By the way, this worm was one of the first designed to steal personal information from users of e-gold system Internet wallets.

Another example is sending spam with the subject “Hello” and the text “Look what they write about you.” The text was followed by a link to a web page. Upon analysis, it turned out that this web page contains a script program that, taking advantage of another vulnerability in Internet Explorer, downloads the LdPinch Trojan program onto the user’s computer, designed to steal various passwords.

Counteracting antivirus programs

Since the goal of computer attackers is to inject malicious code into victim computers, to do this they need to not only force the user to run an infected file or penetrate the system through some vulnerability, but also sneak past the installed anti-virus filter. Therefore, it is not surprising that attackers deliberately target antivirus programs. The techniques they use are very diverse, but the most common are the following:

Packaging and encryption of code. A significant portion (if not most) of modern computer worms and Trojan horses are packaged or encrypted in one way or another. Moreover, the computer underground creates packaging and encryption utilities specifically designed for this purpose. For example, absolutely all files found on the Internet that were processed by the utilities CryptExe, Exeref, PolyCrypt and some others turned out to be malicious.

To detect such worms and Trojans, antivirus programs have to either add new unpacking and decryption methods, or add signatures to each sample of malware, which reduces the quality of detection, since not always all possible samples of modified code end up in the hands of the antivirus company.

Code mutation. Diluting the Trojan code with “junk” instructions. As a result, the functionality of the Trojan program is preserved, but its “appearance” changes significantly. Periodically, there are cases when code mutation occurs in real time - every time a Trojan program is downloaded from an infected website. Those. all or a significant part of the Trojan samples that reach computers from such a site are different. An example of the use of this technology is the Warezov email worm, several versions of which caused significant epidemics in the second half of 2006.

Hiding your presence. The so-called “rootkit technologies” (from the English “rootkit”), usually used in Trojan programs. System functions are intercepted and replaced, thanks to which the infected file is not visible either by standard operating system tools or by anti-virus programs. Sometimes the registry branches in which a copy of the Trojan is registered, and other system areas of the computer are also hidden. These technologies are actively used, for example, by the HacDef backdoor Trojan.

Stopping the antivirus and the system for receiving antivirus database updates (updates). Many Trojans and network worms take special actions against anti-virus programs - they look for them in the list of active applications and try to stop their work, corrupt anti-virus databases, block receiving updates, etc. Antivirus programs have to protect themselves in adequate ways - monitor the integrity of databases, hide their processes from Trojans, etc.

Hiding your code on websites. The addresses of web pages containing Trojan files sooner or later become known to antivirus companies. Naturally, such pages come under the close attention of anti-virus analysts - the contents of the page are periodically downloaded, new versions of Trojan programs are included in anti-virus updates. To counteract this, the web page is modified in a special way - if the request comes from the address of an antivirus company, then some non-Trojan file is downloaded instead of the Trojan one.

Attack by numbers. Generation and distribution on the Internet of a large number of new versions of Trojan programs in a short period of time. As a result, antivirus companies find themselves inundated with new samples that take time to analyze, giving malicious code an additional chance to successfully infiltrate computers.

These and other methods are used by the computer underground to counter antivirus programs. At the same time, the activity of cybercriminals is growing year after year, and now we can talk about a real “technology race” that has unfolded between the antivirus industry and the virus industry. At the same time, the number of individual hackers and criminal groups, as well as their professionalism, is growing. All this together significantly increases the complexity and amount of work required by antivirus companies to develop sufficient level of protection.

In Article 273 of the Criminal Code of the Russian Federation, under malware refers to computer programs or changes to existing programs that “knowingly lead to unauthorized destruction, blocking, modification or copying of information, disruption of the operation of a computer, computer system or their network.”

Microsoft Corporation uses the term malware, defining it as follows: “malware is an abbreviation for malicious software, usually used as a common term to refer to any software specifically designed to cause damage to an individual computer, server, or computer network, regardless of whether whether it is a virus, spyware, etc.”

The harm caused by such software may include damage to:

software and hardware of the computer (network) attacked by the intruder;
computer user data;
to the computer user himself (indirectly);
users of other computers (indirectly).

Specific damage to users and (or) owners of computer systems and networks may include the following:

leakage and (or) loss of valuable information (including financial information);
abnormal behavior of software installed in the system;
a sharp increase in incoming and (or) outgoing traffic;
slowdown or complete failure of the computer network;
loss of working time of the organization's employees;
the offender’s access to corporate computer network resources;
risk of becoming a victim of fraud.

Signs of malware include the following:

hiding your presence in a computer system;
implementation of self-duplication, association of your code with other programs, transfer of your code to previously unoccupied areas of computer memory;
distortion of the code of other programs in the computer's RAM;
saving data from the RAM of other processes in other areas of the computer's memory;
distortion, blocking, substitution of stored or transmitted data obtained as a result of the operation of other programs or already located in the external memory of the computer;
incorrectly informing the user about the actions allegedly performed by the program.

A malicious program can have only one of the characteristics listed above or a combination of them. Obviously, the above list is not exhaustive.

Based on the presence of material benefits, malicious software (software) can be divided into:

not bringing direct material benefit to the person who developed (installed) the malicious program (developed based on hooliganism, “joke”, vandalism, including on religious, nationalist, political grounds, self-affirmation and the desire to confirm one’s qualifications);
bringing direct material benefit to the offender in the form of theft of confidential information, including gaining access to bank-client systems, obtaining PIN codes of credit cards and other personal data of the user, as well as gaining control over remote computer systems for the purpose of distributing spam from numerous “infected” computers (zombie computers).

Based on the purpose of development, malware can be divided into:

Software that was originally developed specifically to gain unauthorized access to information stored on a computer with the aim of causing damage to the owner of the information and (or) the owner of the computer (computer network);
Software that was not initially developed specifically to gain unauthorized access to information stored on a computer, and was not initially intended to cause damage to the owner of the information and (or) the owner of the computer (computer network).

Recently, there has been a criminalization of the malware creation industry, resulting in the following:

theft of confidential information (trade secrets, personal data);
creating zombie networks (“botnets”) designed to send spam, distributed denial of service attacks (DDoS attacks), and introducing Trojan proxy servers;
encryption of user information with subsequent blackmail and ransom demands;
attacks on antivirus products;
so-called flushing (permanent denial of service - PDoS).

Denial of service attacks are now used not so much as a tool to extort money from victims, but as a means of political and competitive warfare. If previously DoS attacks were a tool in the hands of extortion hackers or hooligans only, now they have become the same commodity as spam mailings or custom-made malware. Advertising of DoS attack services has become commonplace, and prices are already comparable to the cost of organizing spam mailings.

Companies specializing in computer and network security are paying attention to a new type of threat - the so-called permanent denial of service (ROoS). The new type of attack received another name - flushing. It is potentially capable of causing much more harm to the system than any other type of network malicious activity, since it is aimed at disabling computer equipment. RooB attacks are more effective and cheaper than traditional types of attacks, in which the hacker tries to install malware on the victim's system. When flashing, the target of the attack is programs in the VUB flash memory and device drivers, which, when damaged, disrupt the operation of the devices and are potentially capable of physically destroying them.

Another type of attack aimed at stealing confidential information is when attackers introduce a malicious program into a company’s information system that can block the operation of the system. At the next stage, the attacked company receives a letter from criminals demanding money for a password that will allow them to unlock the company’s computer system. Another similar way to make money illegally online is to launch Trojan programs into your computer that can encrypt data. The decryption key is also sent by criminals for a certain monetary reward.

The personal data of the user of the attacked computer that is of interest to the attacker includes:

documents and other user data stored in computer memory;
account names and passwords for access to various network resources (electronic money and payment systems, Internet auctions, Internet pagers, e-mail, Internet sites and forums, online games);
email addresses of other users, 1P addresses of other computers on the network.

Thanks to the new opportunities provided by the Internet and especially the widespread spread of social networks, an increasing number of people regularly turn to Internet resources and become victims of increasingly sophisticated attacks, the purpose of which is to both steal confidential user data and “zombie” their computers with for the purpose of subsequent use of their resources by violators.

The effective operation of a “zombie” network is determined by three components of which it conventionally consists:

a loader program whose task is to distribute its own code and the code of the bot program that performs the main work;
a bot program that collects and transmits confidential information, sends spam, participates in an EEoB attack and other actions assigned to it by the violator;
a botnet control module that collects information from bot programs and sends them updates and, if necessary, new configuration files that “retarget” the bot programs.

Examples of antivirus software installed on the user to counteract malware are:

forced stop of the anti-virus scanner or monitor;
changing the security system settings to facilitate the implementation and operation of the malicious program;
automatic clicking on the “Skip” button after the user receives a warning about detected malware;
hiding your presence in the system (so-called “rootkits”);
complicating anti-virus analysis through additional transformation of malicious code (encryption, obfuscation or obfuscation, polymorphism, packaging).

Until recent years, the work of anti-virus programs was based solely on analysis of the contents of the scanned object. At the same time, the earlier signature-based method of detecting viruses (the so-called scanning) used a search for fixed sequences of bytes, often at a certain offset from the beginning of the object, contained in the binary code of the malicious program. Heuristic analysis, which appeared a little later, also checked the contents of the object being scanned, but was based on a freer, probabilistic search for byte sequences characteristic of a potentially malicious program. Obviously, a malicious program will easily bypass such protection if each copy of it is a new set of bytes.

This is precisely the problem that polymorphism and metamorphism solve, the essence of which is that when creating its next copy, the malicious program completely changes at the level of the set of bytes that it consists of. However, its functionality remains unchanged.

Encryption and obfuscation (code obfuscation) themselves are primarily aimed at making it difficult to analyze program code, but, implemented in a certain way, they turn out to be types of polymorphism (for example, encrypting each copy of a virus with a unique key). Obfuscation itself only complicates analysis, but, used in a new way in each copy of the malware, it interferes with anti-virus scanning.

Polymorphism became relatively widespread only in the era of viruses that infect files. This is explained by the fact that writing polymorphic code is a very complex and resource-intensive task and is justified only in cases where the malicious program independently reproduces: each new copy of it is a more or less unique set of bytes. For most modern malware that does not have a self-replication function, this is not relevant. Therefore, polymorphism is not very common in malware at present.

On the contrary, obfuscation, as well as other methods of modifying code, which largely solve the problem of complicating its heuristic analysis, and not the task of complicating scanning, due to this circumstance does not lose its relevance.

To reduce the size of a file with a malicious program, so-called packers are used - special programs that process the file according to the principle of an archiver. A side and beneficial (from the point of view of counteracting antivirus programs) effect of using packers is that antivirus scanning is somewhat difficult.

This is explained by the fact that when developing a new modification of a malicious program, its author usually changes several lines of code, leaving its core intact. In the executable code, the bytes in a certain section of the file change, and if the signature used by the antivirus program did not consist of this particular section, then the malicious program will still be detected. Processing the program with a packer solves this problem, since changing even one byte in the source executable code results in a completely new set of bytes in the packed file.

Many modern packers, in addition to compressing the source file, provide it with additional self-defense functions aimed at making it difficult to unpack the file and analyze it using a debugger.

Malware (sometimes also called destructive software influences) It is customary to include computer viruses and software bookmarks. First time term computer virus introduced by US specialist F. Cohen in 1984. A “classical” computer virus is an autonomously functioning program that simultaneously has three properties:

the ability to include your code in the bodies of other objects (files and system areas of computer memory);
subsequent independent implementation;
independent distribution in computer systems.

Computer viruses do not use network services to penetrate other computers on the network. A copy of the virus reaches remote computers only if the infected object, for some reason beyond the control of the virus, is activated on another computer, for example:

when infecting user-accessible network drives, the virus penetrated into files located on these network resources;
the virus has copied itself to removable media or infected files on it;
The user sent an email with a virus-infected attachment.

An important fact is that viruses do not have the means to spread beyond the boundaries of one computer. This can only happen when a removable storage medium (floppy disk, flash drive) is infected or when the user himself transfers a virus-infected file to another computer over the network.

Boot viruses infect the master boot sector of a hard disk (Master Boot record - MBR) or the boot sector of a hard disk partition, system floppy disk or boot CD (Boot Record - BR), replacing the boot and operating system boot programs contained in them with their code. The original contents of these sectors are stored in one of the free sectors of the disk or directly in the body of the virus.

After infecting the MBR, which is the first sector of the zero head of the zero cylinder of the hard disk, the virus gains control immediately after the completion of the hardware test procedure (POST), the BIOS Setup program (if it was called by the user), BIOS procedures and its extensions. Having gained control, the boot virus performs the following actions:

1) copying your code to the end of the computer’s RAM, thereby reducing the size of its free part;
2) overriding several BIOS interrupts, mainly related to accessing disks;
3) loading a true boot program into the computer's RAM memory, the functions of which include viewing the hard drive partition table, determining the active partition, loading and transferring control to the operating system boot program of the active partition;
4) transfer of control to the true bootstrap program.

A boot virus in VY works in a similar way, replacing the operating system boot program. A common form of infection of a computer with a boot virus is an accidental attempt to boot from a non-system floppy disk (or CO disk), the boot sector of which is infected with a virus. This situation occurs when an infected floppy disk remains in the drive when the operating system is rebooted. Once the master boot sector of a hard drive is infected, the virus spreads the first time any uninfected floppy disk is accessed.

Boot viruses usually belong to the group of resident viruses. Boot viruses were quite common in the 90s of the last century, but practically disappeared with the transition to 32-bit operating systems and the abandonment of the use of floppy disks as the main method of exchanging information. Theoretically, it is possible that boot viruses could appear that infect SP disks and flash disks, but so far no such viruses have been detected.

File viruses infect files of various types:

program files, device driver files and other operating system modules;
document files that may contain macros;
document files that may contain scripts (scripts) or separate script files, etc.

When a file is infected, the virus writes its code to the beginning, middle, or end of the file, or to several places at once. The source file is modified so that once the file is opened, control is immediately transferred to the virus code. After receiving control, the virus code performs the following sequence of actions:

1) infection of other files (combined viruses) and system areas of disk memory;
2) installation of own resident modules (resident viruses) in RAM;
3) performing other actions depending on the algorithm implemented by the virus;
4) continuation of the usual procedure for opening a file (for example, transferring control to the source code of the infected program).

Viruses in program files, when infected, change their header in such a way that after loading the program into RAM, control is transferred to the virus code. For example, the portable executable file format of the Windows and OS/2 operating systems (Portable Executable - PE) has the following structure:

1) header in the format of the MS-DOS operating system;
2) code of the real processor mode program, which takes control when trying to launch a Windows application in the MS-DOS operating system environment;
3) PE file header;
4) additional (optional) PE file header;
5) headers and bodies of all application segments (program code, its static data, data exported by the program, data imported by the program, debugging information, etc.).

The section containing the optional PE file header includes a field containing the address of the application's entry point. Immediately before the entry point in the application code segment is an Import Address Table (IAT), which is populated with valid addresses when the executable code is loaded into the process's address space.

When a virus infects a program file, the application's entry point address is changed to point to the beginning of the virus code and ensure that it automatically takes control when the program file is loaded. It is also possible to modify operating system kernel modules (for example, kernel32.dll) to intercept calls to some system functions (for example, CreateProcess, CreateFile, ReadFile, WriteFile, CloseHandle) to infect other files.

A type of file viruses are viruses in clusters of an infected logical disk or floppy disk. When infected, the virus code is copied to one of the free disk clusters, which is marked in the File Allocation Table (FAT) as the last file cluster. Then the descriptions of the program files in the directory are changed - instead of the number of the first cluster allocated to the file, the number of the cluster containing the virus code is placed. In this case, the true number of the first cluster of the infected file is encrypted and stored, for example, in an unused part of the file description in the directory.

When an infected file is launched, control is obtained by the virus code, which:

1) installs its resident module in RAM, which will subsequently intercept all access to the infected disk;
2) loads the source program file and transfers control to it.

When subsequently accessing the directory with infected files, the resident part of the virus transmits to the operating system the true values of the numbers of the first clusters allocated to the infected files.

Viruses in document files created, for example, by Microsoft Office programs are distributed using macros included in them (procedures in the Visual Basic for Applications - VBA programming language). Therefore, such viruses are sometimes called macro viruses or simply macroviruses.

Macro programming languages, especially VBA, are universal languages that support object-oriented programming technology, have a large library of standard macro commands and allow you to create quite complex procedures. In addition, it supports automatically running macros that are associated with certain events (for example, opening a document) or certain user actions (for example, when calling a command to save a document to a file).

Examples of automatically running macros associated with specific Microsoft Word document processing events include:

AutoExec (automatically executed when the Microsoft Word word processor starts, if located in the normal.dot template file or in a file in the Startup subfolder of the Microsoft Office folder);
AutoNew (automatically takes control when creating a new document);
AutoOpen (automatically executed when opening a document);
AutoClose (automatically executed when closing a document);
Auto Exit (automatically takes control when the Microsoft Word word processor ends).

The Microsoft Excel spreadsheet processor supports only some of the automatically executed macros, and the names of these macros are slightly changed - Auto_open and Auto_close.

The Microsoft Word word processor also defines macros that automatically receive control when the user calls one of the standard commands - File Save (File | Save), FileSaveAs (File | Save As), Tools-Macro (Tools | Macro | Macros), ToolsCustomize ( Service | | Settings), etc.

A Microsoft Office document may also contain macros that automatically receive control when the user presses a certain combination of keys on the keyboard or reaches a certain point in time (date, time of day).

Any macro (including automatically executed ones) from a separate document can be written to the normal.dot template file (and vice versa) and thereby become available when editing any Microsoft Word document. Writing a macro to the normal.dot file can be done using the standard MacroCopy macro command (WordBasic), the OrganizerCopy method of the Application object, or the Copy methods of the standard Organizer (Microsoft Word) and Sheets (Microsoft Excel) objects.

To manipulate files located in the external memory of the computer, macros can use standard macro commands Open (opening an existing or creating a new file), SetAttr (changing file attributes), Name (renaming a file or folder), Get (reading data from an open file), Put (write data to an open file), Seek (change the current position of writing or reading from a file), Close (close a file), Kill (delete a file), RmDir (delete a folder), MkDir (create a new folder), ChDir (change the current folders) etc.

A standard Shell macro command allows you to execute any of the programs or system commands installed on your computer.

Thus, the VBA programming language may well be used by authors of macro viruses to create very dangerous code. The simplest macro virus in a Microsoft Word document infects other document files as follows:

1) when opening an infected document, control is given to the macro containing the virus code;
2) the virus places other macros with its own code in the normal.dot template file (for example, FileOpen, FileSaveAs and FileSave);
3) the virus sets the corresponding flag in the Windows registry and (or) in the Microsoft Word initialization file indicating that the infection has occurred;
4) when Microsoft Word is subsequently launched, the first file opened is actually the already infected template file normal.dot, which allows the virus code to automatically take control, and infection of other document files can occur when they are saved using standard Microsoft Word commands.

We can say that most macro viruses belong to the group of resident viruses, since part of their code is constantly present in the computer’s RAM while the program from the Microsoft Office package is running.

The placement of the macro virus code inside a Microsoft Office document can be indicated quite schematically, since the document file format is very complex and contains a sequence of data blocks of various formats, combined with each other using a large amount of service data. A special feature of macro viruses is that they can infect document files on computers of various platforms, not just IBM PCs. Infection will be possible if office programs that are fully compatible with programs from the Microsoft Office suite are installed on the computer.

When saving document files, they also include random data that is not related to the content of the document, but contained in blocks of RAM that are allocated but not completely filled when editing the document. Therefore, when adding new data to a document, its size may change in an unpredictable way, including decreasing. This does not allow us to judge whether a document file is infected with macro viruses, since its size after infection will also change unpredictably. We also note that information accidentally saved along with a public document file may contain confidential information.

Most known macro viruses place their code only in macros. However, there are also types of viruses in document file macros in which the virus code is stored not only in macros. These viruses include a small macro loader of the main virus code, which calls the macro editor built into Microsoft Office, creates a new macro with the virus code, executes it, and then deletes the created macro to hide traces of its presence. In this case, the main virus code is present as an array of strings either in the body of the loader macro or in the variable area of the infected document.

Infecting the normal.dot template file is not the only way macro viruses can spread on a user's computer. It is also possible that additional template files located in the Startup folder inside the Microsoft Office folder can be infected. Another way to infect user document files with macro viruses is to inject them into Microsoft Word add-on files located in the Addins folder of the Microsoft Office folder. Macro viruses that do not place their code in the common normal.dot template can be classified as non-resident viruses. To infect other files, these macro viruses either use standard macro commands for working with VBA language files and folders, or use the list of recently edited files by the user, which is contained in the “File” submenu of Microsoft Word and other Microsoft Office programs.

The Microsoft Excel spreadsheet processor does not use the normal.dot template file, so files from the Startup folder are used to infect other user document files. A special feature of macro viruses that infect Excel spreadsheet files is that they can be written using not only the VBA programming language, but also the macro language of “old” versions of Microsoft Excel, which is also supported in later versions of this spreadsheet processor.

In the Microsoft Access database management system, macros written in a special scripting language that has very limited capabilities are used to automatically gain control when some event occurs (for example, opening a database). But these automatically executed script macros (for example, the AutoExec macro that automatically takes control when you start Microsoft Access) can call full macros written in VBA. Therefore, in order to infect a Microsoft Access database, a virus must create or replace an automatically executed macro script and copy a module with macros containing the main part of the virus code into the infected database.

Combined viruses are known that can infect both Microsoft Access databases and Microsoft Word documents. Such a virus consists of two main parts, each of which infects document files of its own type (.doc or .mdb). But both parts of such a virus are capable of transferring their code from one Microsoft Office application to another. When transferring virus code from Microsoft Access, an infected additional template file (.dot file) is created in the Startup folder, and when transferring virus code from Microsoft Word, an infected Access database file is created, which is passed as a parameter to the Microsoft Access application launched by the virus code (msaccess .exe).

Antivirus companies are reporting a new trend in the spread of viruses. After a wave of email and script viruses, flash drives connected to a computer via USB are now one of the most popular ways to distribute malware. This became possible due to the weakness of the Windows operating system, which by default automatically launches the autorun.inf file from a removable drive.

According to some experts, the INF/Autorun service in Windows OS can be considered the main security hole in computer systems. Unlike sending infected programs by email, in this case, even a competent user is practically unable to prevent infection, because simply inserting an infected device into a USB connector, and the process becomes irreversible. The only prevention may be to disable autorun, which is recommended even by security experts from Microsoft itself.

You could say that in some ways, the spread of viruses on USB drives is a return to the origins of virus creation, when the Internet did not yet exist. Back then, viruses spread from computer to computer using floppy disks.

Software bookmark is a program external or internal to the computer system being attacked that has certain destructive functions in relation to this system:

distribution in distributed computer systems in order to implement one or another threat to information security (computer or network worms, which, unlike computer viruses, should not have the property of including their code in the bodies of other files);
carrying out various actions unauthorized by the user (collection of confidential information and its transfer to the violator, destruction or intentional modification of user information, disruption of the computer, use of computer resources for unseemly purposes (“Trojan” programs or simply “Trojans”);
destruction or modification of the functioning of the CS software, destruction or change of data processed in it after the fulfillment of some condition or receipt of some message from outside the CS (“logic bombs”);
substitution of individual functions of the CS security subsystem or creation of “traps” in it to implement threats to the security of information in the CS (for example, substitution of encryption means by emulating the operation of a hardware encryption board installed in the CS);
intercepting CS user passwords by simulating an invitation to enter it or intercepting all user input from the keyboard;
interception of the flow of information transmitted between objects of a distributed CS (monitors);
Opportunistic programs that are developed by legitimate manufacturers but contain potentially dangerous functions that can be used by an attacker.

As a rule, in order for a network worm to begin its work, you need to launch a file received by e-mail (or follow the link contained directly in the e-mail message). But there are also worms whose activation does not require human intervention:

the worm is contained in the text of the letter itself and is launched when the user simply opens the message (or it opens in the preview pane in the mail client window) (the letter in this case is text in a language containing a script with the worm code);
The worm exploits “holes” (gaps, vulnerabilities) in the security systems of operating systems and other programs (for example, email).

To induce a user to run a file received by email, criminals use very sophisticated technologies called social engineering. For example, an offer to fill out the form attached to the letter in order to receive a large cash prize that the user allegedly won. Or disguised as an official mailing from a well-known software company (you should know that these companies never send out any files without the user’s request), etc.

Once launched, the worm is able to send its code by email using the “address book” of the email program. After this, the computers of friends of the user of the infected computer are also infected.

The main difference between network worms and classical viruses is precisely the ability to self-propagate across the network, as well as the absence of the need to infect other local objects on the infected computer.

To spread, network worms use a variety of computer and mobile networks: email, instant messaging systems, file-sharing (P2P) and IRC networks, local area networks (LAN), data exchange networks between mobile devices (phones, PDAs), etc. d.

Most known worms are distributed in the form of files: an attachment to an email, a link to an infected file on some Web or FTP message in ICQ and IRC messages, a file in a P2P exchange directory, etc. Some worms ( so-called “fileless” or “packet” worms) spread in the form of network packets, penetrating directly into the computer’s memory and activating their code.

Some worms also have properties of other types of malware. For example, some worms contain functions for collecting and transmitting to the intruder confidential information of the user of the infected computer or are capable of infecting executable files on the local disk of the infected computer, i.e., they have the properties of a Trojan program and (or) a computer virus.

In Fig. Table 4.1 shows data showing the distribution of computer viruses (virus) and various categories of network worms (worm) in 2008 (according to Kaspersky Lab).

Rice. 4.1.

Certain categories of Trojan programs cause damage to remote computers and networks without harming the infected computer (for example, Trojan programs designed for massive DDoS attacks on remote network resources).

Unlike worms and viruses, Trojans do not damage other files and do not have their own means of spreading. These are simply programs that perform actions harmful to the user of an infected computer, for example, intercepting a password for accessing the Internet.

Currently, within the class of Trojan programs, Kaspersky Lab experts identify three main groups of behaviors:

Backdoor (providing an attacker with the ability to remotely administer an infected computer), Trojan-Downloader (delivery of other malicious programs to the user’s computer), Trojan-PSW (password interception), Trojan (other Trojan programs), the most common Trojan programs;
Trojan-Spy (spyware), Trojan-Dropper (installers for other malicious programs);
Trojan-Proxy (“Trojan” proxy servers), Trojan-Clicker (Internet clickers), Rootkit (hiding their presence in a computer system), Trojan-DDoS (programs for participating in distributed denial of service attacks), Trojan- SMS (“mobile Trojans” are the most pressing threat to mobile devices).

Some programs have a set of functions that can harm the user only if a number of conditions are met. Moreover, such programs can be legally sold and used in everyday work, for example, by system administrators. However, in the hands of an intruder, such programs can turn into a tool that can be used to cause harm to the user. Kaspersky Lab specialists classify such programs into a separate group of conditionally dangerous programs (they cannot be unambiguously classified as either dangerous or safe).

This type of program is optionally detected by anti-virus programs if the user consciously selects an expanded set of anti-virus databases. If the programs discovered when using extended databases are familiar to the user and he is 100% sure that they will not cause harm to his data (for example, the user himself purchased this program, is familiar with its functions and uses them for legal purposes), then the user can either refuse further use of extended anti-virus databases, or add such programs to the list of “exceptions” (programs for which further detection will be disabled).

Potentially dangerous programs include programs of the classes RiskWare (legally distributed potentially dangerous programs), Porn Ware (programs for displaying pornographic information) and AdWare (advertising software).

The RiskWare class of programs includes legal programs (some of them are freely sold and widely used for legal purposes), which, nevertheless, in the hands of an intruder, can cause harm to the user and his data. In such programs you can find legal remote administration utilities, IRC client programs, auto-dialer programs (“dialers”), download programs (“downloaders”), monitors of any activity (monitor), utilities for working with passwords, as well as numerous Internet servers for FTP, Web, Proxy and Telnet services.

All of these programs are not malicious in themselves, but they do have capabilities that attackers can take advantage of to cause harm to users. For example, a remote administration program allows you to access the interface of a remote computer and be used to manage and monitor the remote machine. Such a program may be completely legal, freely distributed and necessary in the work of system administrators or other technical specialists. However, in the hands of violators, such a program can cause harm to the user and his data by gaining full remote access to someone else's computer.

As another example, consider a utility that is a client of an IRC network: the advanced functionality of such a utility can be taken advantage of by violators and the Trojan programs they distribute (in particular, Backdoor), which use the functions of such a client in their work. Thus, a Trojan program is capable of adding its own scripts to the IRC client configuration file without the user’s knowledge and successfully performing its destructive functions on the infected machine. In this case, the user will not even suspect that a malicious Trojan program is operating on his computer.

Often, malicious programs independently install an IRC client on the user’s computer for subsequent use for their own purposes. In this case, the location is usually the Windows folder and its subfolders. Finding an IRC client in these folders almost certainly indicates that the computer has been infected with some kind of malware.

Advertising software (Adware, Advware, Spyware, Browser Hijackers) is designed to display advertising messages (most often in the form of graphic banners) and redirect search queries to advertising Web pages. With the exception of displaying advertisements, such programs, as a rule, do not show their presence in the system in any way. Typically, Adware programs do not have an uninstallation procedure.

by embedding advertising components into free and shareware software (freeware, shareware);
through unauthorized installation of advertising components when the user visits “infected” Web pages.

Most programs in the freeware and shareware categories stop displaying advertisements after they are purchased and/or registered. Such programs often use built-in Adware utilities from third-party manufacturers. In some cases, these Adware utilities remain installed on the user’s computer even after registering the programs with which they originally entered the user’s system. At the same time, removing the Adware component that is still used by any program to display advertising may lead to malfunctions of this program.

The basic purpose of this type of Adware is an implicit form of payment for software, carried out by showing advertising information to the user (advertisers pay the advertising agency for displaying their advertising, and the advertising agency pays the Adware developer). Adware helps reduce costs both for software developers (income from Adware encourages them to write new and improve existing programs) and for users themselves.

In the case of installation of advertising components when a user visits “infected” Web pages, in most cases hacker technologies are used (penetration into the computer through a gap in the security system of the Internet browser, as well as the use of “Trojan” programs designed for hidden installation of software). Adware programs that act in this way are often called “Browser Hijackers.”

In addition to delivering advertisements, many advertising programs also collect confidential information about the computer and the user (IP address, OS and Internet browser version, list of the most frequently used Internet resources, search queries and other information that can be used for advertising purposes).

For this reason, Adware programs are often also called Spyware (adware in the Spyware category should not be confused with Trojan-Spy spyware). Programs in the Adware category cause harm associated not only with the loss of time and distraction of the user from work, but also with the very real threat of leaking confidential data.

The distribution of programs of the RiskWare and PornWare classes by behavior can be presented in the form of a pie chart (Fig. 4.2, according to Kaspersky Lab).

AdTool are various advertising modules that cannot be classified as AdWare, since they have the necessary legal attributes: they are equipped with a license agreement, demonstrate their presence on the computer and inform the user about their actions.

Rice. 4.2.

Porn-Dialers independently (without notifying the user) make telephone connections to premium numbers, which often leads to litigation between subscribers and their telephone companies.

Programs in the Monitor category include legal “key loggers” (programs for tracking keystrokes), which are officially produced and sold, but if they have the function of hiding their presence in the system, such programs can be used as full-fledged spyware Trojans.

Programs in the PSW-Tool category are designed to recover forgotten passwords, but can easily be used by criminals to extract these passwords from the computer memory of an unsuspecting victim. Programs in the Downloader category can be used by criminals to download malicious content onto a victim computer.

Other malware includes a variety of programs that do not directly pose a threat to the computer on which they are executed, but are designed to create other malicious programs, organize DDoS attacks on remote servers, hack other computers, etc.

Such programs include virus hoaxers (Hoax) and false anti-virus programs (FraudTool), “hacker” programs for “hacking” remote computers (Exploit, HackTool), constructors and packagers of malicious programs (Constructor, VirTool, Packed), programs for sending spam and “clogging” attacks (SpamTool, IM-Flooder, Flooder), programs for misleading the user (BadJoke).

The main type of FraudTool is the so-called rogue-antivirus - programs that pretend to be full-fledged antivirus tools. After installing it on a computer, they always “find” some kind of virus, even on an absolutely “clean” computer system, and offer to buy their paid version for “treatment”. In addition to directly deceiving users, these programs also contain the AdWare function. In fact, this is a real scam based on users' fear of malware.

Hacker utilities of the Exploit and HackTool categories are designed to penetrate remote computers for the purpose of further controlling them (using backdoor Trojan programs) or to introduce other malicious programs into the hacked system. Hacker utilities such as “exploit” exploit vulnerabilities in operating systems or applications installed on the attacked computer.

Virus and Trojan program constructors are utilities designed to create new computer viruses and Trojan horses. Virus designers for DOS, Windows and macro viruses are known. They allow you to generate virus source texts, object modules and (or) directly infected files.

Some constructors are equipped with a standard graphical interface, where, using a menu system, you can select the type of virus, objects to be affected, the presence or absence of encryption, resistance to the debugger, internal text strings, as well as effects accompanying the operation of the virus, etc. Other constructors do not have an interface and read information about the type of virus being created from their configuration file.

Utilities of the Nuker category send specially designed requests to attacked computers on the network, as a result of which the attacked system stops working. These programs exploit vulnerabilities in the software of network services and operating systems, as a result of which a special type of network request causes a critical error in the attacked application.

Programs in the Bad-Joke and Hoax categories include programs that do not cause any direct harm to the computer, but display messages indicating that such harm has already been caused, or will be caused under any conditions, or warns user about a non-existent danger. “Evil jokes” include, for example, programs that display messages to the user about formatting the hard drive (although no formatting actually occurs), detect viruses in uninfected files, display strange virus-like messages, etc.

Polymorphic generators are not viruses in the literal sense of the word, since their algorithm does not include reproduction functions. The main function of this kind of program is to encrypt the body of the virus and generate a corresponding decryptor.

Typically, polymorphic generators are distributed by their authors without restrictions in the form of an archive file. The main file in the archive of any generator is the object module containing this generator.

The evolution of the functioning of malware from single modules to complex and interacting projects began at the beginning of this century. The new model of malware functioning should not only become the standard for a mass of new malicious projects, but also be further developed.

The main features of this model are the following:

lack of a single control center for a network of infected computers;
active counteraction to attempts by third-party research and interception of control;
Simultaneous mass and short-term distribution of malicious code;
competent use of social engineering tools;
using different distribution methods and phasing out the most visible ones (email);
using different modules to implement different functions (rather than one universal one).

By analogy with the well-known term Web 2.0, the new generation of malware can be called MalWare 2.0.

The technique of hiding presence in a system (rootkits) will be used not only in Trojan programs, but also in file viruses. Thus, there will be a return to the times of the MS-DOS operating system, when resident stealth viruses existed. This is a logical development of methods for counteracting antivirus programs. Malicious programs now tend to “survive” on the system even after being detected.

Another dangerous way to hide the presence of a program on a computer is the technology of infecting the boot sector of a disk - the so-called “bootkits”. This is another return of an old technique, allowing the malicious program to gain control before the main part of the operating system (and antivirus programs) loads. Bootkits are rootkits with the function of loading from the boot sectors of any device. Their danger lies in the fact that the malicious code gains control even before the OS, and therefore the antivirus program, starts.

One of the most striking examples of the implementation of bootkit technology is vbootkit. A simplified sequence of vbootkit actions looks like this. After turning on the computer and running BIOS programs, the Vbootkit code (from a CD or other device) is activated. The boot program from the MBR and the Windows Vista boot loader are then executed, after which control is transferred to the kernel of this operating system.

Once vbootkit gains control of the system, it triggers a BIOS 13 interrupt, then searches for signatures for Windows Vista. Once detected, it begins modifying Windows Vista while hiding itself (by placing its code in small chunks in different areas of RAM). These modifications include bypassing security measures such as checking electronic digital signatures, checking hashes, and performing certain actions to maintain control of the system during both the first and second phases of the boot process.

The second stage involves extending the operating system kernel so that vbootkit retains control of it until it is rebooted. This way the user will have a vbootkit loaded into the Windows Vista kernel.

Bootkits store in the boot sector only the minimum necessary to run the main code. This core code is stored in other sectors, the contents of which the bootkit hides by intercepting BIOS interrupts to read the sector.

Users of social networks can become the main target of so-called phishing. The credentials of subscribers of various network services will be in high demand among violators. This will be an important alternative to the technique of placing malware on hacked Web sites. Trojan programs can be distributed precisely through the accounts of social network users, through their blogs and profiles.

Another problem related to social networks can be XSSPHPSQL-aTaKH. Unlike phishing, which relies solely on deception and social engineering techniques, these attacks exploit bugs and vulnerabilities in Web 2.0 services themselves and can affect even highly literate users. In this case, the target of the violators is the personal data of users, which is needed to create certain databases and lists for carrying out subsequent attacks using “traditional” methods.

The main factors ensuring the simultaneous interest of users and hackers in Web 2.0 services are:

transfer of user data from a personal computer to the Internet;
using one account for several different services;
availability of detailed information about users;
availability of information about connections, contacts and acquaintances of users;
providing a place for publication of any information;
trusting relationships between contacts.

This problem is already quite serious and, according to experts, has every chance of becoming a major information security problem.

As for mobile devices, and primarily mobile phones, threats to them are distributed between primitive Trojan programs and various vulnerabilities in operating systems and applications for smartphones.

In accordance with the methods of introducing software bookmarks into the CS and possible locations for their placement in the system, bookmarks can be divided into the following groups:

software bookmarks associated with BIOS;
bookmarks associated with boot and boot programs of the operating system;
bookmarks associated with operating system drivers and other system modules;
bookmarks associated with general-purpose application software (for example, archivers);
program files containing only the bookmark code and implemented using batch batch files;
bookmarks masquerading as general-purpose application software;
bookmarks disguised as gaming and educational software (to facilitate their initial implementation in the computer system).

The word "bot" is short for the word "robot". A bot is a piece of code that performs some functionality for its owner, who is the author of this code. Bots (bot) are a type of malware that are installed on thousands of computers. The computer on which the bot is installed is called zombie(zombie). The bot receives commands from its owner and forces the infected computer to execute them. Such commands can be sending spam, viruses or carrying out attacks. The attacker prefers to perform such actions using bots rather than his own computer, since this allows him to avoid detection and identification.

A set of zombie computers compromised by an attacker on which bots are installed is called botnet (botnet). To create a botnet, hackers break into thousands of systems, sending malicious code in a variety of different ways: as attachments to email messages, through compromised websites, by sending links to malicious sites as attachments to email messages, etc. If successfully installed on the user's computer, the malicious code sends a message to the attacker that the system has been hacked and is now available to the attacker, who can use it at will. For example, he can use the created botnet to carry out powerful attacks or rent it out to spammers. Moreover, most of the computers included in the botnet are home computers of unsuspecting users.

The owner of this botnet controls the systems included in it remotely, usually through the IRC (Internet Relay Chat) protocol.

The basic steps for creating and using botnets are given below:

The hacker uses various methods to send potential victims malicious code that contains bot software.
After successful installation on the victim's system, the bot establishes contact with the botnet's control server, contacting it via IRC or a special web server, in accordance with what is specified in its code. After this, the control server takes over control of the new bot.
The spammer pays the hacker for using the systems of his botnet, the hacker sends the appropriate commands to the control server, and the control server, in turn, instructs all infected systems included in the botnet to send spam.

Spammers use this method because it significantly increases the likelihood of their messages reaching recipients, bypassing their installed spam filters, because. such messages will be sent not from one address, which will quickly be blocked or added to all “black lists,” but from many real addresses of the owners of hacked computers.

To create a botnet, its future owner either does everything himself or pays hackers to develop and distribute malware to infect systems that will become part of his botnet. And then the owner of the botnet will be contacted and paid by those who want to tell you about their new products, as well as those who need to attack competitors, steal personal data or user passwords, and many others.

Traditional antivirus software uses signatures to detect malicious code. Signatures are fingerprints of malicious code created by the antivirus software manufacturer. The signature is code fragments extracted from the virus itself. An antivirus program scans files, emails, and other data that passes through certain computers and compares them to its database of virus signatures. When a match is detected, the antivirus program performs a pre-configured action, which may be sending the infected file to quarantine, attempting to “cure” the file (remove the virus), displaying a warning window for the user, and/or recording an event in .

Signature-based detection of malicious code is an effective way to detect malware, but there are certain delays in responding to new threats. After a virus is first discovered, the antivirus manufacturer must study the virus, develop and test new signatures, release an update to the signature database, and all users must download the update. If the malicious code is simply sending your photos to all your friends, this delay is not so critical. However, if the malware is similar to the Slammer worm, the damage from such a delay could be catastrophic.

NOTE. The Slammer worm appeared in 2003. He exploited a vulnerability in the Microsoft SQL Server 2000 DBMS that allowed him to cause a denial of service. By some estimates, Slammer caused more than $1 billion in damage.

With new malware being created daily, it is difficult for antivirus software manufacturers to keep up. Virus signature technology allows you to detect viruses that have already been identified and for which a signature has been created. But because virus writers are so prolific and many viruses can change their code, it is important that antivirus software have other mechanisms to detect malicious code.

Another method that almost all antivirus software products use is to detect malicious code based on heuristic analysis (heuristic detection). This method analyzes the overall structure of the malicious code, evaluates the instructions and algorithms executed by the code, and studies the types of data used by the malicious program. Thus, it collects a large amount of information about a piece of code and evaluates the likelihood that it is malicious in nature. It uses a kind of “suspiciousness counter”, which increases as the antivirus program finds new potentially dangerous (suspicious) properties in it. When a predetermined threshold is reached, the code is considered dangerous and the antivirus program initiates appropriate defense mechanisms. This allows antivirus software to recognize unknown malware instead of just relying on signatures.

Consider the following analogy. Ivan is a cop, he works to catch the bad guys and lock them up. If Ivan is going to use the signature method, he compares stacks of photographs of every person he sees on the street. When he sees a match, he quickly catches the bad guy and puts him in his patrol car. If he is going to use a heuristic method, he watches for suspicious activities. For example, if he sees a man in a ski mask standing in front of a bank, he assesses the likelihood that he is a robber and not just a cold guy asking for change from bank customers.

NOTE. Diskless workstations are also vulnerable to viruses, despite the lack of a hard drive and a full-fledged operating system. They may be infected with viruses that download and live in memory. Such systems can be rebooted remotely (remote reboot) to clear memory and return it to its original state, i.e. the virus lives briefly in such a system.

Some antivirus products create an artificial environment called a virtual machine or sandbox and allow some of the suspicious code to run in a protected environment. This gives the antivirus program the ability to see the code in action, which gives much more information to decide whether it is malicious or not.

NOTE. A virtual machine or sandbox is sometimes called emulation buffer(emulation buffer). This is the same as a protected memory segment, so even if the code does turn out to be malicious, the system will still remain safe.

Analyzing information about a piece of code is called static analysis , if you run a piece of code on a virtual machine, this is called dynamic analysis . Both of these methods are considered heuristic detection methods.

Vaccination. Another approach that some antivirus programs have used is called vaccination(immunization). Products with this functionality made changes to files and disk areas to make them appear as if they were already infected. In this case, the virus may decide that the file (disk) is already infected and will not make any additional changes, moving on to the next file.

A vaccination program, as a rule, is aimed at a specific virus, since each of them checks the fact of infection differently and looks for different data (signatures) in the file (on disk). However, the number of viruses and other malicious software is constantly growing, and so is the number of files that need to be protected, so this approach is currently not practical in most cases, and antivirus manufacturers no longer use it.

Currently, even with all these sophisticated and effective approaches, there is no absolute guarantee of the effectiveness of antivirus tools, since virus writers are very cunning. It's a constant game of cat and mouse that goes on every day. The antivirus industry is finding a new way to detect malware, and next week virus writers are finding a way around this new method. This forces antivirus manufacturers to constantly increase the intelligence of their products, and users have to buy new versions of them every year.

The next stage in the evolution of antivirus software is called behavioral blockers (behavior blocker). Antivirus software that performs behavioral blocking essentially allows suspicious code to run on an unprotected operating system and monitors its interaction with the operating system, paying attention to suspicious activity. Specifically, antivirus software monitors for the following types of activity:

Writing to files that are automatically loaded at system startup or to startup sections in the system registry
Opening, deleting or changing files
Including scripts in emails to send executable code
Connecting to network resources or shared folders
Changing the logic of executable code
Creating or modifying macros and scripts
Formatting the hard drive or writing to the boot sector

If an antivirus program detects some of these potentially dangerous activities, it can force the program to terminate and notify the user. The new generation of behavioral blockers actually analyzes the sequence of such actions before deciding that the system is infected (the first generation of behavioral blockers simply triggered individual actions, which led to a large number of false positives). Modern antivirus software can intercept the execution of dangerous pieces of code and prevent them from interacting with other running processes. They can also detect . Some of these antivirus programs allow you to “roll back” the system to the state it was in before the infection, “erasing” all changes made by the malicious code.

It would seem that behavioral blockers can completely solve all the problems associated with malicious code, but they have one drawback, which requires such monitoring of malicious code in real time, otherwise the system may still be infected. In addition, constant monitoring requires a large amount of system resources...

NOTE. Heuristic analysis and behavior-based blocking are considered proactive techniques and can detect new malware, sometimes called zero-day attacks. Signature-based malware detection cannot detect new malware.

Most antivirus programs use a combination of all of these technologies to provide the best protection possible. Selected anti-malware solutions are shown in Figure 9-20.

Figure 9-20. Antivirus software makers use different methods to detect malicious code

We're all very tired of emails asking us to buy something we don't need. Such letters are called spam (spam) are unwanted email messages. Not only does spam distract recipients from their tasks, but it consumes significant network bandwidth and can also be a source of malware. Many companies use spam filters on their email servers, and users can configure spam filtering rules in their email clients. But spammers, as well as virus writers, are constantly coming up with new and ingenious ways to bypass spam filters.

Effective spam detection has become a real science. One of the methods used is called Bayesian filtering (Bayesian filtering). Many years ago, a gentleman named Thomas Bayes (mathematician) developed an effective way to predict the probability of the occurrence of any events using mathematics. Bayes' theorem allows us to determine the probability that an event occurred in the presence of only indirect evidence (data), which may be inaccurate. Conceptually, this is not that difficult to understand. If you hit your head against a brick wall three times and fell each time, you can conclude that further attempts will lead to the same painful results. It's more interesting when this logic is applied to actions that contain many more variables. For example, how does a spam filter work that does not allow letters from you with an offer to buy Viagra, but does not prevent the delivery of mail from your friend who is very interested in this drug and writes you messages about its properties and effects on the body? The Bayes filter applies statistical modeling to the words that make up email messages. Mathematical formulas are performed on these words to fully understand their relationship to each other. The Bayes filter performs frequency analysis on each word and then evaluates the message as a whole to determine whether it is spam or not.

This filter doesn't just look for the words "Viagra," "sex," etc., it looks at how often those words are used and in what order to determine whether a message is spam. Unfortunately, spammers know how these filters work and manipulate words in the subject line and body of the message to try to fool the spam filter. This is why you may receive spam messages with misspellings or words that use symbols instead of letters. Spammers are very interested in you receiving their messages because they make a lot of money from it.

Protecting companies from a wide variety of malware requires more than just antivirus software. As with other components, certain additional administrative, physical, and technical safeguards are required to be implemented and maintained.

The company must have a separate anti-virus policy, or anti-virus protection issues must be taken into account in the general one. Must be developed that define the types of anti-virus and anti-spyware software required for use in the company, as well as the main parameters of their configuration.

Information about virus attacks, anti-virus protection tools used, as well as the behavior expected from users should be provided in the program. Every user should know what they should do and where to go if a virus is detected on their computer. The standard must address all issues related to user actions associated with malicious code, and must indicate what the user must do and what he is prohibited from doing. In particular, the standard should contain the following questions:

Anti-virus software must be installed on every workstation, server, communicator, and smartphone.
Each of these devices must have a way to automatically update antivirus signatures, which must be enabled and configured on each device.
The user should not be able to disable antivirus software.
The virus removal process must be developed and planned in advance, and a contact person must be identified and appointed in case malicious code is detected.
All external drives (USB drives, etc.) should be scanned automatically.
Backup files should be scanned.
Antivirus policies and procedures should be reviewed annually.
The antivirus software you use must provide protection against boot viruses.
Antivirus scanning must be performed independently on the gateway and on each individual device.
Anti-virus scanning should run automatically on a schedule. You don't have to rely on users to run scans manually.
Critical systems must be physically protected in such a way that local installation of malicious software on them is impossible.

Because malware can cause millions of dollars in damage (in operational costs, lost productivity), many companies install antivirus solutions at all network entry points. An anti-virus scanner can be integrated into the mail server software, or . This anti-virus scanner checks all incoming traffic for the presence of malicious code in order to detect and stop it in advance, even before it reaches the internal network. Products that implement this functionality can scan traffic from SMTP, HTTP, FTP, and possibly other protocols. But it is important to understand that such a product monitors only one or two protocols, and not all incoming traffic. This is one of the reasons why every server and workstation should also have antivirus software installed.

Since the goal of computer attackers is to inject malicious code into victim computers, to do this they need to not only force the user to run an infected file or penetrate the system through some vulnerability, but also sneak past the installed anti-virus filter. Therefore, attackers deliberately target antivirus programs. The techniques they use are very varied, but the most common are the following.

Packaging and encryption of code. A significant portion (if not most) of modern computer worms and Trojan horses are packaged or encrypted in one way or another. Moreover, packaging and encryption utilities are specially created for this purpose. To detect such worms and Trojan programs, antivirus programs have to add either new unpacking and decryption methods, or signatures to each sample of VP, which reduces the quality of detection, since not always all possible samples of modified code end up in the hands of the antivirus company.

Mutation code- diluting the Trojan code with “junk” instructions. As a result, the functionality of the Trojan program is preserved, but its “appearance” changes significantly. Periodically, there are cases when code mutation occurs in real time - every time a Trojan program is downloaded from an infected website. That is, all or a significant part of the Trojan program samples that end up on computers from such a site are different.

Hiding your presence- so called rootkit technologies, commonly used in Trojan horses. In this case, system functions are intercepted and replaced, as a result of which the infected file is not visible either by standard operating system tools or by anti-virus programs. Sometimes the registry branches in which a copy of the Trojan program is registered, and other system areas of the computer are also hidden.

Stopping the anti-virus program and the system for receiving anti-virus database updates. Many Trojans and network worms take special actions against anti-virus programs: they look for them in the list of active applications and try to stop their work, “corrupt” anti-virus databases, block receiving updates, etc. Antivirus programs have to protect themselves in appropriate ways: monitor the integrity of databases, “hide” their processes from Trojans, etc.

Hiding your code on websites. The addresses of web pages containing Trojan files sooner or later become known to antivirus companies. Naturally, such pages come under the close attention of anti-virus analysts: the contents of the page are periodically downloaded, and new versions of Trojan programs are included in anti-virus updates. To counteract this, the web page is modified in a special way: if the request comes from the address of an antivirus company, then some non-Trojan file is downloaded instead of the Trojan one.

Attack by numbers- generation and distribution on the Internet of a large number of new versions of Trojan programs in a short period of time. As a result, antivirus companies find themselves inundated with new samples that take time to analyze, giving malicious code an additional chance to successfully infiltrate computers.

These and other methods are used by hackers to counter antivirus programs. At the same time, their activity is growing year by year, and now we can talk about a real “technology race” that has unfolded between the antivirus and virus industries. At the same time, not only the number of individual hackers and criminal groups is growing, but also the professionalism of the latter. All this significantly increases the complexity and amount of work required by antivirus companies to develop sufficient levels of protection.

4. Classification of free programs

The need to create a classification of objects detected by antiviruses arose simultaneously with the advent of the first antivirus program. Despite the fact that there were few viruses at that time, they still needed to be somehow distinguished from each other by name.

Pioneers of the antivirus industry typically used the simplest classification, consisting of a unique virus name and the size of the detected file. However, due to the fact that the same virus could be named differently in different antivirus programs, confusion began.

The first attempts to streamline the classification process were made back in the early 90s of the last century, within the framework of the alliance of antivirus specialists CARO (Computer AntiVirus Researcher's Organization). The alliance created the document "CARO malware naming scheme", which for some period became industry standard.

But over time, the rapid development of malware, the emergence of new platforms and the growth in the number of antivirus companies led to the fact that this scheme actually ceased to be used (see, for example, the article by Vesselin Bonchev “Current Status of the CARO Malware Naming Scheme”). An even more important reason for its abandonment was the significant differences in the detection technologies of each antivirus company and, as a result, the impossibility of unifying scan results between different antivirus programs.

Attempts are periodically made to develop a new general classification of objects detected by anti-virus programs, but for the most part they remain unsuccessful. The last significant project of this kind was the creation of the organization CME (Common Malware Enumeration), which assigns identical detected objects a single unique identifier.

The classification system used by Kaspersky Lab for detected objects is one of the most widely used in the industry, and has served as the basis for the classifications of several other antivirus companies. Currently, the Kaspersky Lab classification includes the entire volume of malicious or potentially unwanted objects detected by Kaspersky Anti-Virus, and is based on dividing objects according to the type of actions they perform on the user’s computer.

Anti-malware. Counteracting antivirus programs. Classifications of antivirus programs

Social engineering

Implementation technologies

Simultaneous use of implementation technologies and social engineering methods

Counteracting antivirus programs

Report a typo

Text that will be sent to our editors:

Your comment (optional):