A File infector virus when executed on a system will seek out other files and insert its code into them. The programs with .EXE and .COM extensions are the most commonly targeted, but a file infector virus can target any executable file. When the application is started, the infection is executed and carries out its designated task. It is commonly injected into the system memory. There it waits for a trigger from which to corrupt other items. This infection is most commonly distributed via compromised networks, over the web via drive-by, or from a corrupted media (CDRW, flash media). One of the most prevalent forms of the file infector contains a variant of the Win32 virus. Its purpose is to transfer hits to the Http Send Request into a corrupted .DLL format. This type of file infector is often installed by other malware. The file infector employs a technique to make sure its corrupted .DLL format will replace the targeted extensions found within the system. When the computer is rebooted, it incidentally boots the infected file and continues its advancement throughout the system.
Boot Sector Infector
A Boot Sector infector is a virus that infects the leading sector of a hard drive or other bootable media. Many boot sector infectors have the ability to modify the volume label of the storage drive. It may be transferred as a result of a pirated software application. Though less common today than in the past, this type of virus was capable of causing considerable damage, as most operating systems will attempt to boot a computer from the first sector of the boot drive.
A Multipartite Virus is a virus that infects and spreads in more than one way. The term was derived from the discovery of a virus that contained both a boot sector infector, as well as a file infector attack. To fully remove the threat, all parts of the virus must be removed. Due to the multiple vector for the spread of infection, these virus could spread faster than a boot or file infector alone.
A Macro Virus is a virus that is written in a language specific to a software application such as a word processor. Since some applications (such as parts of Microsoft Office) allow macro programs to be embedded into documents, this allows the virus to run automatically when the document is opened, a distinct mechanism is provided by which the virus can be spread. Certain encryption techniques can make the detection of this threat beyond the scope of many antivirus programs. Since a macro virus depends on the application rather than the operating system, it can infect a computer running any operating system of which the targeted application is running on. A macro virus infection can be avoided by exercising caution when opening email attachments and other documents.
A Polymorphic engine is used to create a virus that can be programmed to mutate itself with each infection, making detection more difficult. This type of malware infects with an encrypted copy of itself, and the decryption module is modified on each infection.
Using a Metamorphic engine, some virus’s can rewrite themselves completely on each new execution. This helps the virus avoid being detected by emulation. These types of virus’s are typically extremely large.
Worms are programs that replicate themselves from system to system without the use of a host file. In contrast, viruses which require the spreading of an infected host file. The most common way for a worm to propagate is to copy itself to outbound email as a file attachment or transfer itself across a network through open network shares. Once a worm is on the system, it does not have to be executed by the user. It is important to note that some Worms will drop Trojan Horses on a customer’s machine to open a network port for communication with a third party.
Trojan horses are impostors, files that claim to be something desirable but, in fact, are malicious. A very important distinction from true viruses is that they do not replicate themselves. Trojans contain malicious code that, when triggered, cause loss or even theft, of data. For a Trojan horse to spread it must be invited onto your computer. A Trojan horse does not have reproduction capability and can only be executed by the user. Once a Trojan horse is executed, it delivers its payload. The payloads differ but most of the recently created Trojans are designed to steal passwords or open a port for communication.
Spyware is a generic term for a class of software designed to either gather information for marketing purposes or to deliver advertisements to Web pages. A spyware aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party. Because spyware is not viral, anti-virus software does not offer protection. By attaching itself to legitimate downloads, spyware easily passes through firewalls unchallenged. By intertwining itself with files essential to system operation, spyware cannot safely be removed by simply deleting files with a system cleaning tool.
Rogue/Suspect implies that these products are of unknown, questionable, or dubious value as antispyware protection. These products do not provide proven, reliable anti-spyware protection and may be prone to exaggerated false positives. Others may use unfair, deceptive, high pressure sales tactics to pressure sales from gullible, confused users. A few of these products are either associated with known distributors of spyware/adware or have been known to install spyware/adware themselves. Rogue antispyware is difficult to define as the intentions of the group vary. Typically members of the group claim to be a legitimate anti-spyware application but are in fact nothing more than an inexpensive clone of unreliable software. Rogues are often repackaged and given new names. Others among this group present false positives due to bugs in the software's code, not because of an outright lie. Code corrections can move a suspected rogue off of detection lists. Many rogue applications use deceptive or high-pressure sales tactics to convince users into buying a license. Users will be told that they need to buy protection even if there is nothing dangerous found. Free scans are offered but a license is needed before any dangers can be removed. Free, fully functional trial periods are usually not offered. Spyware or other malware sometimes silently installs rogue antispyware that then offers to remove the spyware. Trojans and toolbars are other sources prompting for rouges to be installed. Affiliate marketing programs are often used to sell rogue antispyware.
Adware is a type of program that displays an advertisement of some sort, usually related to a specific website cached in the web browser. In some cases, it changes the home page of your web browser to point to a specific web site. Because adware is not malicious in nature, it is not considered a virus. Adware can do a number of different things to your system. It can monitor and profile your web usage and direct pop up ads based on your surfing habits. Most peer-to-peer file sharing programs come bundled with adware and the user is only notified of this in the fine print of the End User License Agreement. Adware is not as dangerous as other infections, but it can be incredibly annoying. These are the types of programs that download files onto your computer by saying they are necessary for certain websites to work or without notifying you at all. They can take up your computers resources and are largely responsible for the countless popup ads you receive on the web.
Rootkits are specialized programs that exploit known vulnerabilities in an operating system. These programs are available in abundance on the Internet and are used by hackers to gain root (administrator level) access to a
computer. In Windows there are two basic classes of Rootkits: User Mode Rootkits and Kernel Mode Rootkits.
User Mode Rootkits
A user mode rootkit involves system hacking in the user or application space. Whenever an application makes a system call, the execution of that system call follows a predetermined path and a Windows rootkit can hijack the system call at many points along that path. One of the most common user mode techniques is the memory modification of system DLLs. Windows programs utilize common code found in Microsoft provided DLLs. At runtime, these DLLs are loaded into the application’s memory space allowing the application to call and execute code in the DLL.
Kernel Mode Rootkits
A kernel mode rootkit involves system hacking or modification in the kernel space. Kernel space is generally off-limits to standard authorized (or unauthorized) users. One must have the appropriate rights in order to view or modify kernel memory. However, the kernel is an ideal place for system hacking because it is at the lowest level and thus, is the most reliable and robust method of hacking. The system call’s path through the kernel passes through a variety of hook points. A few of these points will be described below. As a system call’s execution path leaves user mode and enters kernel mode, it must pass through a gate. The purpose of the gate is to ensure user mode code does not have general access to kernel mode space protecting the kernel space. This gate must be able to recognize the purpose of the incoming system call and initiate the execution of code inside the kernel space and then return results back to the incoming user mode system call. The gate is effectively a proxy between user mode and kernel mode. In older versions of Windows, this proxy is invoked through interrupts and in newer versions of Windows through Model Specific Registers (MSRs). Both mechanisms can be hooked causing the gate to direct execution to the rootkit rather than the original kernel mode code. Another popular hook point is to modify the System Service Descriptor Table (SSDT). The SSDT is a function pointer table in kernel memory that holds all the addresses of the system call functions in kernel memory. By simply modifying this table, the rootkit can redirect execution to its code instead of the original system call. Similarly to the previously mentioned techniques, the rootkit would likely call the original system call and then remove itself from the results before passing back the results. Finally, another kernel mode rootkit technique is to simply modify the data structures in kernel memory. For example, kernel memory must keep a list of all running processes and a rootkit can simply remove themselves and other malicious processes they wish to hide from this list. This technique is known as direct kernel object modification (DKOM).
Typically a networked computer uses a Domain Name System (DNS) server to associate website names with IP addresses that a computer can use to negotiate a connection. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. This technique can be used to direct users of a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates files on the server they control with names matching those on the target server. These files could contain malicious content, such as a computer worm or a computer virus. A user whose computer has referenced the poisoned DNS server would be tricked into accepting content coming from a non-authentic server and unknowingly download malicious content.