1.

Introduction
1.1. What is Computer Virus?
A computer virus is a computer program that can copy itself and infect a computer
without the permission or knowledge of the user. The term "virus" is also commonly but
erroneously used to refer to other types of malware, adware and spyware programs that
do not have the reproductive ability. A true virus can only spread from one computer to
another when its host (some form of executable code) is taken to the target computer, for
instance because a user sent it over a network or the Internet, or carried it on a removable
medium such as a floppy disk, CD, or USB drive. Viruses can increase their chances of
spreading to other computers by infecting files on a network file system or a file system
that is accessed by another computer.

Viruses are sometimes confused with computer worms and Trojan horses, which are
technically different. A worm can spread itself to other computers without needing to be
transferred as part of a host, and a Trojan horse is a program that appears harmless but
has a hidden agenda. Worms and Trojans, like viruses, may cause harm to a computer
system's hosted data, functional performance, or networking throughput, when they are
executed. Some viruses and other malware have symptoms noticeable to the computer
user, but most are surreptitious. This makes it hard for the average user to notice, find and
disable and is why specialist anti-virus programs are now commonplace.
Most personal computers are now connected to the Internet and to local area networks,
facilitating the spread of malicious code. Today's viruses may also take advantage of
network services such as the World Wide Web, e-mail, Instant Messaging and file sharing
systems to spread, blurring the line between viruses and worms. Furthermore, some
sources use an alternative terminology in which a virus is any form of self-replicating
malware.

Simply put, it is a program that reproduces. When it is executed, it simply makes one or
more copies of itself. Those copies may later be executed to create still more copies, ad

1
infinitum. Typically, a computer virus attaches itself to another program, or rides on the
back of another program, in order to facilitate reproduction. This approach sets computer
viruses apart from other self-reproducing software because it enables the virus to
reproduce without the operator’s consent. Compare this with a simple program called
“1.COM”. When run, it might create “2.COM” and “3.COM”, etc., which would be exact
copies of itself. Now, the average computer user might run such a program once or twice
at your request, but then he’ll probably delete it and that will be the end of it. It won’t get
very far. Not so, the computer virus, because it attaches itself to otherwise useful
programs. The computer user will execute these programs in the normal course of using
the computer, and the virus will get executed with them. In this way, viruses have gained
viability on a world-wide scale. Actually, the term computer virus is a misnomer. It was
coined by Fred Cohen in his 1985 graduate thesis, which discussed self-reproducing
software and its ability to compromise so-called secure systems. Really, “virus” is an
emotionally charged epithet. The very word bodes evil and suggests something bad. Even
Fred Cohen has repented of having coined the term and he now suggests that we call
these programs “living programs” instead. Personally I prefer the more scientific term
self-reproducing automaton. That simply describes what such a program does without
adding the negative emotions associated with “virus” yet also without suggesting life
where there is a big question whether we should call something truly alive. However, I
know that trying to re-educate people who have developed a bad habit is almost
impossible, so I’m not going to try to eliminate or replace the term “virus”, bad though it
may be.

In fact, a computer virus is much more like a simple one-celled living organism than it is
like a biological virus. Although it may attach itself to other programs, those programs
are not alive in any sense. Furthermore, the living organism is not inherently bad, though
it does seem to have a measure of self-will. Just as lichens may dig into a rock and eat it
up over time, computer viruses can certainly dig into your computer and do things you
don’t want. Some of the more destructive ones will wipe out everything stored on your
hard disk, while any of them will at least use a few CPU cycles here and there.

2
Aside from the aspect of self-will, though, we should realize that computer viruses per se
are not inherently destructive. They may take a few CPU cycles, however since a virus
that gets noticed tends to get wiped out; the only successful viruses must take only an
unnoticeable fraction of your system’s resources. Viruses that have given the computer
virus a name for being destructive generally contain logic bombs which trigger at a
certain date and then display a message or do something annoying or nasty. Such logic
bombs, however, have nothing to do with viral self-reproduction. They are payloads—
add-ons—to the self-reproducing code. When I say that computer viruses are not
inherently destructive, of course, I do not mean that you don’t have to watch out for them.
There are some virus writers out there who have no other goal but to destroy the data on
your computer. As far as they are concerned, they want their viruses to be memorable
experiences for you. They’re nihilists, and you’d do well to try to steer clear from the
destruction they’re trying to cause. So by all means do watch out . . . but at the same time,
consider the positive possibilities of what self-reproducing code might be able to do that
ordinary programs may not. After all, a virus could just as well have some good routines
in it as bad ones.

1.2. History of Computer Viruses

1.2.1. A Bit of Archeology

There are lots and lots of opinions on the date of birth of the first computer virus. I know
for sure just that there were no viruses on the Babbidge machine, but the Univac 1108
and IBM 360/370 already had them ("Pervading Animal" and "Christmas tree").
Therefore the first virus was born in the very beginning of 1970s or even in the end of
1960s, although nobody was calling it a virus then. And with that consider the topic of the
extinct fossil species closed.

1.2.2.Journey's Start

Let's talk of the latest history: "Brain", "Vienna", "Cascade", etc. Those who started using
IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in

3
1987-1989. Letters were dropping from displays, crowds of users rushing towards
monitor service people (unlike of these days, when hard disk drives die from old age but
yet some unknown modern viruses are to blame). Their computers started playing a hymn
called "Yankee Doodle", but by then people were already clever, and nobody tried to fix
their speakers - very soon it became clear that this problem wasn't with the hardware, it
was a virus, and not even a single one, more like a dozen.
And so viruses started infecting files. The "Brain" virus and bouncing ball of the "Ping-
pong" virus marked the victory of viruses over the boot sector. IBM PC users of course
didn't like all that at all. And so there appeared antidotes. Which was the first? I don't
know, there were many of them. Only few of them are still alive, and all of these anti-
viruses did grow from single project up to the major software companies playing big
roles on the software market.

There is also a notable difference in conquering different countries by viruses. The first
vastly spread virus in the West was a bootable one called "Brain", the "Vienna" and
"Cascade" file viruses appeared later. Unlike that in East Europe and Russia file viruses
came first followed by bootable ones a year later.
Time went on, viruses multiplied. They all were all alike in a sense, tried to get to RAM,
stuck to files and sectors, periodically killing files, diskettes and hard disks. One of the
first "revelations" was the "Frodo.4096" virus, which is far as I know was the first
invisible virus (Stealth). This virus intercepted INT 21h, and during DOS calls to the
infected files it changed the information so that the file appeared to the user uninfected.
But this was just an overhead over MS-DOS. In less than a year electronic bugs attacked
the DOS kernel ("Beast.512" Stealth virus). The idea of in visibility continued to bear its
fruits: in summer of 1991 there was a plague of "Dir_II".

But it was pretty easy to fight the Stealth ones: once you clean RAM, you may stop
worrying and just search for the beast and cure it to your hearts content. Other, self
encrypting viruses, sometimes appearing in software collections, were more troublesome.
This is because to identify and delete them it was necessary to write special subroutines,
debug them. But then nobody paid attention to it, until ... Until the new generation of

4
viruses came, those called polymorphic viruses. These viruses use another approach to
invisibility: they encrypt themselves (in most cases), and to decrypt themselves later they
use commands which may and may not be repeated in different infected files.

1.3. Virus Origins

Computer viruses are called viruses because they share some of the traits of biological
viruses. A computer virus passes from computer to computer like a biological virus
passes from person to person. Unlike a cell, a virus has no way to reproduce by itself.
Instead, a biological virus must inject its DNA into a cell. The viral DNA then uses the
cell's existing machinery to reproduce itself. In some cases, the cell fills with new viral
particles until it bursts, releasing the virus. In other cases, the new virus particles bud off
the cell one at a time, and the cell remains alive.

A computer virus shares some of these traits. A computer virus must piggyback on top of
some other program or document in order to launch. Once it is running, it can infect other
programs or documents. Obviously, the analogy between computer and biological viruses
stretches things a bit, but there are enough similarities that the name sticks.
People write computer viruses. A person has to write the code, test it to make sure it
spreads properly and then release it. A person also designs the virus's attack phase,
whether it's a silly message or the destruction of a hard disk. Why do they do it?
There are at least three reasons:

The first is the same psychology that drives vandals and arsonists. Why would someone
want to break a window on someone's car, paint signs on buildings or burn down a
beautiful forest? For some people, that seems to be a thrill. If that sort of person knows
computer programming, then he or she may funnel energy into the creation of destructive
viruses.

The second reason has to do with the thrill of watching things blow up. Some people
have a fascination with things like explosions and car wrecks. When you were growing
up, there might have been a kid in your neighborhood who learned how to make

5
gunpowder. And that kid probably built bigger and bigger bombs until he either got bored
or did some serious damage to himself. Creating a virus is a little like that -- it creates a
bomb inside a computer, and the more computers that get infected the more "fun" the
explosion.

The third reason involves bragging rights, or the thrill of doing it. Sort of like Mount
Everest -- the mountain is there, so someone is compelled to climb it. If you are a certain
type of programmer who sees a security hole that could be exploited, you might simply
be compelled to exploit the hole yourself before someone else beats you to it.

Of course, most virus creators seem to miss the point that they cause real damage to real
people with their creations. Destroying everything on a person's hard disk is real damage.
Forcing a large company to waste thousands of hours cleaning up after a virus is real
damage. Even a silly message is real damage because someone has to waste time getting
rid of it. For this reason, the legal system is getting much harsher in punishing the people
who create viruses.

2. Types of Computer Viruses

Viruses can be classified using multiple criteria: origin, techniques, types of files they
infect, where they hide, the kind of damage they cause, the type of operating system or
platform they attack etc.

A single virus, if it is particularly complex, may come under several different categories.
And as new viruses emerge, it may sometimes be necessary to redefine categories or,
very occasionally, create new categories.

The following are the most common types of viruses:

6
2.1. Resident

This type of virus hides permanently in the RAM memory. From here it can control
and intercept all of the operations carried out by the system: corrupting files and
programs that are opened, closed, copied, renamed etc.

Resident viruses can be treated as file infector viruses. When a virus goes memory
resident, it will remain there until the computer is switched off or restarted (waiting for
certain triggers to activate it, such as a specific date and time). In the meantime it sits and
waits in hiding, unless of course an antivirus can locate and eliminate it. Examples
include: Randex, CMJ, Meve, and MrKlunky

2.2. Multipartite

These advanced viruses can create multiple infections using several techniques. Their
objective is to attack any elements that can be infected: files, programs, macros, disks,
etc.

They are considered fairly dangerous due to their capacity to combine different infection
techniques.

Some examples include: Ywinz.

2.3.Direct Action

The principal aim of these viruses is to replicate and take action when they are run.
When a specific condition is met, the virus will go into action and infect files in the
directory or folder that it is in and in directories that are specified in the
AUTOEXEC.BAT file path. This batch file is always located in the root directory of the
hard disk and carries out certain operations when the computer is booted.

Files infected with this type of virus can be disinfected, and completely restored to their
original condition.

7
2.4.File infectors

As one of the most popular types of viruses (with the black hats, anyway), a file-infector
virus arrives embedded or attached to a computer program file — a file with an .EXE
extension in its name. When the program runs, the virus instructions are activated along
with the original program. The virus carries out the instructions in its code — it could
delete or damage files on y our computer, attempt to implant itself within other program
files on your computer, or do anything else that its creator dreamed up while in a nasty
mood.

The presence of a file-infector virus can be detected in two major ways:

 The size of a file may have suspiciously increased. If a program file is too big
for its britches, a virus may account for the extra size. At this point, you need to
know two things:
o What size the file(s) should be when fresh from the software maker. You
have all of this information written down somewhere, right? (I’m only
kidding — I know a lot of “propeller heads” but no one who is that
cautious.)
o Whether the virus is a cavity seeker — a treacherous type that hides itself
in the unused space in a computer program. Clever. Of course, your
antivirus program will only know to look for a cavity seeker if. . . .
 The signature of a known virus turns up in an antivirus scan. The signature
— a known, characteristic pattern that “fingerprints” a particular virus — is a
dead giveaway that a virus is embedded within a program file — provided your
antivirus software knows what to look for.

2.5.Overwrite

This type of virus is characterized by the fact that it deletes the information
contained in the files that it infects, rendering them partially or totally useless once they
have been infected.

8
Infected files do not change size, unless the virus occupies more space than the original
file, because instead of hiding within a file, the virus replaces the files content.

The only way to clean a file infected by an overwrite virus is to delete the file completely,
thus losing the original content.

Some examples of overwrite viruses include: Way, Trj.Reboot, Trivial.88.D

2.6.Companion

Companion viruses can be considered file infector viruses like resident or direct action
types. They are known as companion viruses because once they get into the system they
"accompany" the other files that already exist. In other words, in order to carry out
their infection routines, companion viruses can wait in memory until a program is run
(resident viruses) or act immediately by making copies of themselves (direct action
viruses).

Some examples include: Stator, Asimov.1539, and Terrax.1069.

2.7. Boot

While less prevalent today, boot-sector viruses were once the mainstay of computer
viruses. A boot-sector virus occupies the portion (sector) of a floppy disk or hard drive
that the computer first consults when it boots up. The boot sector provides instructions
that tell the computer how to start up; the virus tells the computer (in effect), While
you’re at it, load me too — before you do anything else.

Here’s the especially devious part: The virus writer knows that after the computer is
started, the boot sector isn’t used. It’s pretty much ignored — the standard tools used to
examine a floppy disk or hard drive won’t even look in the boot sector. Unless antivirus
software is used, it’s difficult to detect a boot-sector virus. That’s partly because virus
doesn’t occupy free space, change the amount of free space available, or change the size
of any file on the floppy disk or hard drive. It’s pretending to be boot instructions. The

9
only traces of its presence may be (relatively subtle) effects such as excessive hard-drive
activity or slowed processing

Some examples of boot viruses include: Polyboot.B, AntiEXE.

2.8.FAT

The file allocation table or FAT is the part of a disk used to connect information and is a
vital part of the normal functioning of the computer.

This type of virus attack can be especially dangerous, by preventing access to certain
sections of the disk where important files are stored. Damage caused can result in
information losses from individual files or even entire directories.

2.9.Macro

Macro viruses infect files that are created using certain applications or programs
that contain macros. These include Word documents (DOC extensions), Excel
spreadsheets (XLS extensions), PowerPoint presentations (PPS extensions), Access
databases (MDB extensions), Corel Draw etc.

A macro is a small program that a user can associate to a file created using certain
applications. These mini-programs make it possible to automate series of operations so
that they are performed as a single action, thereby saving the user from having to carry
them out, one by one.

When a document containing macros is opened, they will automatically be loaded and
may be executed immediately or when the user decides to do so. The virus will then take
effect by carrying out the actions it has been programmed to do, often regardless of the
program's built-in macro virus protection.

There is not just one type of macro virus, but one for each tool: Microsoft Word,
Microsoft Excel, Microsoft PowerPoint, Microsoft Access, Corel Draw, Lotus Ami Pro,
etc. Some examples of macro viruses: Relax, Melissa.A, Bablas, and O97M/Y2K.

10
2.10. Worms

A worm is a different kind of malicious program: Once activated, it takes action by itself
—it requires no human intervention to spread. A worm contains all the means necessary
to spread from computer to computer with amazing, terrifying speed.

In 2001, for example, the Code Red worm infected over 350,000 servers on the Internet
in less than 14 hours. In 2003, the Sapphire/SQL Slammer worm spread worldwide in
only 10 minutes, infecting at least 75,000 systems in that time. In 2002, a university
researcher described a hypothetical “Flash Worm” which could, if engineered properly,
spread to hundreds of thousands of servers in just a minute or two. We can hope that one
stays hypothetical. But I wouldn’t bet on it.

Worms are among the most feared phenomenon in large organizations, because they can
start without warning and spread so quickly. They can bring a large organization to its
knees in less time than even the most adept organization can realize that something is
amiss.

Some examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, and

Mapson.

2.11. Directory

An operating system finds files by looking up the path (composed of the disk drive and
directory) in which each file is stored.

Directory viruses change the paths that indicate the location of a file. By executing a
program (file with the extension .EXE or .COM) which has been infected by a virus, you
are unwittingly running the virus program, while the original file and program have been
previously moved by the virus.

Once infected it becomes impossible to locate the original files.

11
2.12. Trojans

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike
viruses do not reproduce by infecting other files, nor do they self-replicate like worms.

Trojans work in a similar way to their mythological namesake, the famous wooden horse
that hid Greek soldiers so that they could enter the city of Troy undetected.

They appear to be harmless programs that enter a computer through any channel. When
that program is executed (they have names or characteristics which trick the user into
doing so), they install other programs on the computer that can be harmful.

A Trojan may not activate its effects at first, but when they do, they can wreak havoc on
your system. They have the capacity to delete files, destroy information on your hard
drive and open up a backdoor to your system. This gives them complete access to
your system allowing an outside user to copy and resend confidential information.

Some examples of Trojans are: IRC.Sx2, Trifor.

2.13. Encrypted

Encryption is a technique used by viruses so that they cannot be detected by antivirus

programs.

The virus encodes or encrypts itself so as to be hidden from scans, before performing its
task it will decrypt itself. Once it has unleashed its payload the virus will then go back
into hiding.

Examples of encrypted viruses include: Elvira, Trile.

2.14. Logic Bombs

A logic bomb is a piece of code intentionally inserted into a software system that will set
off a malicious function when specified conditions are met. For example, a programmer

12
may hide a piece of code that starts deleting files (such as the salary database), should
they ever leave the company.
Software that is inherently malicious, such as viruses and worms, often contain logic
bombs that execute a certain payload at a pre-defined time or when some other condition
is met. This technique can be used by a virus or worm to gain momentum and spread
before being noticed. Many viruses attack their host systems on specific dates, such as
Friday the 13th or April fool’s Day. Trojans that activate on certain dates are often called
"time bombs".
To be considered a logic bomb, the payload should be unwanted and unknown to the user
of the software. As an example, trial programs with code that disables certain
functionality after a set time are not normally regarded as logic bombs.

2.15. Polymorphic

In computer terminology, polymorphic code is code that mutates while keeping the
original algorithm intact. This technique is sometimes used by computer viruses,
shellcodes and computer worms to hide their presence.
Most anti-virus software and intrusion detection systems attempt to locate malicious code
by searching through computer files and data packets sent over a computer network. If
the security software finds patterns that correspond to known computer viruses or worms,
it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult
for such software to locate the offending code as it constantly mutates.
Encryption is the most commonly used method of achieving polymorphism in code.
Malicious programmers have sought to protect their polymorphic code from this virus-
scanning strategy by rewriting the unencrypted decryption engine each time the virus or
worm is propagated. Anti-virus software uses sophisticated pattern analysis to find
underlying patterns within the different mutations of the decryption engine, in hopes of
reliably detecting such malware.
The first known polymorphic virus was written by Mark Washburn. The virus, called
1260, was written in 1990. A more well-known polymorphic virus was invented in 1992
by the Bulgarian cracker Dark Avenger (a pseudonym) as a means of avoiding pattern
recognition from antivirus-software.

13
2.16. False Viruses

These messages are often confused for viruses but are something else entirely. It is
important to know the difference between a real virus threat and a false virus.

Hoaxes are not viruses, they are false messages sent by e-mail, warning users of a non-
existent virus. The intention is to spread rumors causing panic and alarm among users
who receive this kind of information.

Occasionally, hoax warnings include technical terms to mislead users. On some other
occasions, the names of some press agencies are mentioned in the heading of the
warnings. In this way, the hoax author attempts to trick users into believing that they have
received a warning about a real virus. Hoaxes try to fool the user into performing a series
of actions to protect themselves from the virus, sometimes leading to negative results.

Users are advised not to pay attention to these misleading warnings and delete these
messages once received without sending them to others.

3. Infection Strategies

In order to replicate itself, a virus must be permitted to execute code and write to
memory. For this reason, many viruses attach themselves to executable files that may be
part of legitimate programs. If a user tries to start an infected program, the virus' code
may be executed first. Viruses can be divided into two types, on the basis of their
behavior when they are executed. Nonresident viruses immediately search for other hosts
that can be infected, infect these targets, and finally transfer control to the application
program they infected. Resident viruses do not search for hosts when they are started.
Instead, a resident virus loads itself into memory on execution and transfers control to the
host program. The virus stays active in the background and infects new hosts when those
files are accessed by other programs or the operating system itself.

14
3.1.Nonresident viruses

Nonresident viruses can be thought of as consisting of a finder module and a replication

module. The finder module is responsible for finding new files to infect. For each new
executable file the finder module encounters, it calls the replication module to infect that
file.

3.2.Resident viruses

Resident viruses contain a replication module that is similar to the one that is employed
by nonresident viruses. However, this module is not called by a finder module. Instead,
the virus loads the replication module into memory when it is executed and ensures that
this module is executed each time the operating system is called to perform a certain
operation. For example, the replication module can be called each time the operating
system executes a file. In this case, the virus infects every suitable program that is
executed on the computer.
Resident viruses are sometimes subdivided into a category of fast infectors and a
category of slow infectors. Fast infectors are designed to infect as many files as possible.
For instance, a fast infector can infect every potential host file that is accessed. This poses
a special problem to anti-virus software, since a virus scanner will access every potential
host file on a computer when it performs a system-wide scan. If the virus scanner fails to
notice that such a virus is present in memory, the virus can "piggy-back" on the virus
scanner and in this way infect all files that are scanned. Fast infectors rely on their fast
infection rate to spread. The disadvantage of this method is that infecting many files may
make detection more likely, because the virus may slow down a computer or perform
many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the
other hand, are designed to infect hosts infrequently. For instance, some slow infectors
only infect files when they are copied. Slow infectors are designed to avoid detection by
limiting their actions: they are less likely to slow down a computer noticeably, and will at
most infrequently trigger anti-virus software that detects suspicious behavior by
programs. The slow infector approach does not seem very successful, however.

15
4. Vectors and hosts

Viruses have targeted various types of transmission media or hosts.

• Binary executable files (such as COM files and EXE files in MS-DOS, Portable
Executable files in Microsoft Windows, and ELF files in Linux)
• Volume Boot Records of floppy disks and hard disk partitions
• The master boot record (MBR) of a hard disk
• General-purpose script files (such as batch files in MS-DOS and Microsoft
Windows, VBScript files, and shell script files on Unix-like platforms).
• Application-specific script files (such as Telix-scripts)
• Documents that can contain macros (such as Microsoft Word documents,
Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database
files)
• Cross-site scripting vulnerabilities in web applications
• Arbitrary computer files. An exploitable buffer overflow, format string, race
condition or other exploitable bug in a program which reads the file could be used
to trigger the execution of code hidden within it. Most bugs of this type can be
made more difficult to exploit in computer architectures with protection features
such as an execute disable bit and/or address space layout randomization.

PDFs, like HTML, may link to malicious code.

In operating systems that use file extensions to determine program associations (such as
Microsoft Windows), the extensions may be hidden from the user by default. This makes
it possible to create a file that is of a different type than it appears to the user. For
example, a executable may be created named "picture.png.exe", in which the user sees
only "picture.png" and therefore assumes that this file is an image and most likely is safe.

16
4.1.Cross-site scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in

web applications which allow code injection by malicious web users into the web pages
viewed by other users. Examples of such code include HTML code and client-side
scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass
access controls such as the same origin policy. Vulnerabilities of this kind have been
exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site
scripting carried out on websites were roughly 80% of all documented security
vulnerabilities. Often during an attack "everything looks fine" to the end-user who may
be subject to unauthorized access, theft of sensitive data, and financial loss.

4.1.1.Types of XSS

• Non-Persistent

The non-persistent or Type 1 cross-site scripting hole is also referred to as a reflected

vulnerability, and is by far the most common type. These holes show up when data
provided by a web client is used immediately by server-side scripts to generate a page of
results for that user. If invalidated user-supplied data is included in the resulting page
without HTML encoding, this will allow client-side code to be injected into the dynamic
page. A classic example of this is in site search engines: if one searches for a string which
includes some HTML special characters, often the search string will be redisplayed on
the result page to indicate what was searched for, or will at least include the search terms
in the text box for easier editing. If any occurrence of the search terms is not HTML
entity encoded, an XSS hole will result.

At first blush, this does not appear to be a serious problem since users can only inject
code into their own pages. However, with a small amount of social engineering, an
attacker could convince a user to follow a malicious URL which injects code into the
results page, giving the attacker full access to that page's content. Due to the general
requirement of the use of some social engineering in this case (and normally in Type 0

17
vulnerabilities as well), many programmers have disregarded these holes as not terribly
important. This misconception is sometimes applied to XSS holes in general (even
though this is only one type of XSS) and there is often disagreement in the security
community as to the importance of cross-site scripting vulnerabilities.

Non-persistent XSS vulnerabilities in Google could allow its members to be impersonated when payloads
used UTF-7 encoding.

• Persistent

The persistent or Type 2 XSS vulnerability is also referred to as a stored or second-

order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS
vulnerability exists when data provided to a web application by a user is first stored
persistently on the server (in a database, file system, or other location), and later
displayed to users in a web page without being encoded using HTML entities. A classic

18
example of this is with online message boards, where users are allowed to post HTML
formatted messages for other users to read.

Persistent XSS can be more significant than other types because an attacker's malicious
script is rendered more than once. Potentially, such an attack could affect a large number
of users with little need for social engineering, and the application could be infected by a
cross-site scripting virus or worm.

The methods of injection can vary a great deal, and an attacker may not need to use the
web application itself to exploit such a hole. Any data received by the web application
(via email, system logs, etc) that can be controlled by an attacker must be encoded prior
to re-display in a dynamic page, else an XSS vulnerability of this type could result.

A persistent cross-zone scripting vulnerability and computer worm allowed execution of arbitrary code and
listing of file system contents via a QuickTime movie on MySpace.

19
4.1.2.Mitigation

Avoiding XSS requires action on the part of the user. Defense against XSS falls also to
content and web application developers, and to browser vendors. Users can usually
disable scripting, several best practices exist for content developers, web applications can
be tested and reviewed before release, and some browsers today implement a few access-
control policies.

• Early policies

Several high profile security vulnerabilities followed the Netscape introduction in 1995
of the JavaScript language. Netscape began to realize some of the security risks of
allowing a Web server to send executable code to a browser (even if only in a browser
sandbox). The company introduced the same origin policy in Netscape Navigator version
2. One key problem is the case where users have more than one browser window or tab
open at once. In some instances, a script from one page should be allowed to access data
from another page or object, but in others, this should be strictly forbidden because a
malicious website could attempt to steal sensitive information. The policy forbids
browsers to load a script when it crosses the boundary of the current Window object
unless the script originated from the same domain and over the same protocol and the
same port if port is specified. Essentially, this policy was intended to allow interaction
between objects and pages but in theory a malicious Web site would not be able to access
sensitive data in another browser window. Unfortunately browser vendors implemented
the policy in different ways and the result was unpredictable behavior. The policy also
had loopholes, for example, an HTML element embedded in a page or resource at the
origin host may link to a script hosted elsewhere and the browser will load that script
when it loads the page. Since then, other similar access-control policies have been
adopted in other browsers and client-side scripting languages to protect end-users from
malicious Web sites but the policies may depend on the user themselves to guide access

20
control according to their preferences. For example, digital signatures might identify
scripts and their source to the user or user agent before a script can load.

• Escaping and filtering

One way to eliminate some XSS vulnerabilities is to encode locally or at the server all
user-supplied HTML special characters into character entities, thereby preventing them
from being interpreted as HTML. Unfortunately, users of many kinds of web applications
(commonly forums and webmail) wish to use some of the features HTML provides.
Some web applications such as social networking sites like MySpace and mainstream
forum and blog software like WordPress and Movable Type attempt to identify malicious
HTML constructs, and neutralize them, either by removing or encoding them. But due to
the flexibility and complexity of HTML and related standards, and the continuous
addition of new features, it is almost impossible to know for sure if all possible injections
are eliminated. Capabilities differ greatly among filtering systems and as of 2007 in
Google's case were being written in house. In order to eliminate certain injections, any
server-side algorithm must reject broken HTML, understand how every browser will
interpret broken HTML, or (preferably) fix the HTML to be well-formed using
techniques akin to those of HTML Tidy.

• Input validation

Input validation for all potentially malicious data sources is another way to mitigate XSS.
This is a common theme in application development (even outside of web development)
and is generally very useful. For instance, if a form accepts some field, which is supposed
to contain a phone number, a server-side routine could remove all characters other than
digits, parentheses, and dashes, such that the result cannot contain a script. Input
validation may help to mitigate other injection attacks such as SQL injection as well.
While effective for most types of input, there are times when an application, by design,
must be able to accept special HTML characters, such as '<' and '>'. In these situations,
HTML entity encoding is the only option.

21
• Cookie security

Besides content filtering, other methods for XSS mitigation are also commonly used. One
example is that of cookie security. Many web applications rely on session cookies for
authentication between individual HTTP requests, and because client-side scripts
generally have access to these cookies, simple XSS exploits can steal these cookies. To
mitigate this particular threat (though not the XSS problem in general), many web
applications tie session cookies to the IP address of the user who originally logged in, and
only permit that IP to use that cookie. This is effective in most situations (if an attacker is
only after the cookie), but obviously breaks down in situations where an attacker is
behind the same NATed IP address or web proxy. IE (since version 6) and Firefox (since
version 2.0.0.5) have an HttpOnly flag which allows a web server to set a cookie that is
unavailable to client-side scripts but while beneficial, the feature does not prevent cookie
theft nor can it prevent attacks within the browser.

• Eliminating scripts

Finally, while Web 2.0 and Ajax designers favor the use of JavaScript, some web
applications are written to (sometimes optionally) operate completely without the need
for client-side scripts. This allows users, if they choose, to disable scripting in their
browsers before using the application. In this way, even potentially malicious client-side
scripts could be inserted un-escaped on a page and users would not be susceptible to XSS
attacks.

Many browsers can be configured to disable client-side scripts on a per-domain basis. If

scripting is allowed by default, then this approach is of limited value, since it blocks bad
sites only after the user knows that they are bad, which is too late. Functionality that
blocks all scripting and external inclusions by default and then allows the user to enable it
on a per-domain basis is more effective. This has been possible for a long time in IE
(since version 4) by setting up its so called "Security Zones", and in Opera (since version
9) using its "Site Specific Preferences". A solution for Firefox and other Gecko-based
browsers is the open source NoScript add-on which has anti-XSS protection.

22
The most significant problem with blocking all scripts on all websites by default is
substantial reduction in functionality and responsiveness (client-side scripting can be
much faster than server-side scripting because it does not need to connect to a remote
server and the page or frame does not need to be reloaded). Another problem with script
blocking is that many users do not understand it, and do not know how to properly secure
their browsers. Another drawback is that many sites do not work without client-side
scripting, forcing users to disable protection for that site and opening their systems to the
threat.

4.1.3.Related vulnerabilities

Several classes of vulnerabilities or attack techniques are related to XSS. Cross-zone

scripting exploits "zone" concepts in software and usually executes code with a greater
privilege. HTTP header injection can be used to create cross-site scripting conditions in
addition to allowing attacks such as HTTP response splitting. Cross-site request forgery
(CSRF/XSRF) is almost the opposite of XSS, in that rather than exploiting the user's trust
in a site, the attacker exploits the site's trust in the client software, submitting requests
that the site believes come from its own authenticated users. SQL injection exploits
vulnerability in the database layer of an application. When user input is incorrectly
filtered any SQL statements can be executed by the application. Content spoofing is a
similar attack where markup language is injected without script with the intention of
presenting unintended content as native to the site instead of running malicious code in a
victim's browser.

5. Virus Methods to avoid detection

In order to avoid detection by users, some viruses employ different kinds of deception.
Some old viruses, especially on the MS-DOS platform, make sure that the "last modified"
date of a host file stays the same when the file is infected by the virus. This approach
does not fool anti-virus software; however, especially those which maintain and date
cyclic redundancy checks on file changes.

23
Some viruses can infect files without increasing their sizes or damaging the files. They
accomplish this by overwriting unused areas of executable files. These are called cavity
viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files.
Because those files have many empty gaps, the virus, which was 1 KB in length, did not
add to the size of the file.

Some viruses try to avoid detection by killing the tasks associated with antivirus software
before it can detect them.

As computers and operating systems grow larger and more complex, old hiding
techniques need to be updated or replaced. Defending a computer against viruses may
demand that a file system migrate towards detailed and explicit permission for every kind
of file access.

5.1.Avoiding bait files and other undesirable hosts

A virus needs to infect hosts in order to spread further. In some cases, it might be a bad
idea to infect a host program. For example, many anti-virus programs perform an
integrity check of their own code. Infecting such programs will therefore increase the
likelihood that the virus is detected. For this reason, some viruses are programmed not to
infect programs that are known to be part of anti-virus software. Another type of host that
viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially
created by anti-virus software, or by anti-virus professionals themselves, to be infected by
a virus. These files can be created for various reasons, all of which are related to the
detection of the virus:

• Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy
of a program file that is infected by the virus). It is more practical to store and
exchange a small, infected bait file, than to exchange a large application program
that has been infected by the virus.
• Anti-virus professionals can use bait files to study the behavior of a virus and
evaluate detection methods. This is especially useful when the virus is
polymorphic. In this case, the virus can be made to infect a large number of bait

24
 files. The infected files can be used to test whether a virus scanner detects all
versions of the virus.
• Some anti-virus software employs bait files that are accessed regularly. When
these files are modified, the anti-virus software warns the user that a virus is
probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can
benefit from not infecting them. Viruses typically do this by avoiding suspicious
programs, such as small program files or programs that contain certain patterns of
'garbage instructions'.

A related strategy to make baiting difficult is sparse infection. Sometimes, sparse

infectors do not infect a host file that would be a suitable candidate for infection in other
circumstances. For example, a virus can decide on a random basis whether to infect a file
or not, or a virus can only infect host files on particular days of the week.

5.2.Stealth

Some viruses try to trick anti-virus software by intercepting its requests to the operating
system. A virus can hide itself by intercepting the anti-virus software’s request to read the
file and passing the request to the virus, instead of the OS. The virus can then return an
uninfected version of the file to the anti-virus software, so that it seems that the file is
"clean". Modern anti-virus software employs various techniques to counter stealth
mechanisms of viruses. The only completely reliable method to avoid stealth is to boot
from a medium that is known to be clean.

5.3.Self-modification

Most modern antivirus programs try to find virus-patterns inside ordinary programs by
scanning them for so-called virus signatures. A signature is a characteristic byte-pattern
that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in
a file, it notifies the user that the file is infected. The user can then delete, or (in some
cases) "clean" or "heal" the infected file. Some viruses employ techniques that make

25
detection by means of signatures difficult but probably not impossible. These viruses
modify their code on each infection. That is, each infected file contains a different variant
of the virus.

5.4.Encryption with a variable key

A more advanced method is the use of simple encryption to encipher the virus. In this
case, the virus consists of a small decrypting module and an encrypted copy of the virus
code. If the virus is encrypted with a different key for each infected file, the only part of
the virus that remains constant is the decrypting module, which would (for example) be
appended to the end. In this case, a virus scanner cannot directly detect the virus using
signatures, but it can still detect the decrypting module, which still makes indirect
detection of the virus possible. Since these would be symmetric keys, stored on the
infected host, it is in fact entirely possible to decrypt the final virus, but that probably
isn't required, since self-modifying code is such a rarity that it may be reason for virus
scanners to at least flag the file as suspicious.

An old, but compact, encryption involves XORing each byte in a virus with a constant, so
that the exclusive-or operation had only to be repeated for decryption. It is suspicious
code that modifies itself, so the code to do the encryption/decryption may be part of the
signature in many virus definitions.

5.5.Polymorphic code

Polymorphic code was the first technique that posed a serious threat to virus scanners.
Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted
copy of itself, which is decoded by a decryption module. In the case of polymorphic
viruses, however, this decryption module is also modified on each infection. A well-
written polymorphic virus therefore has no parts which remain identical between
infections, making it very difficult to detect directly using signatures. Anti-virus software
can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis
of the encrypted virus body. To enable polymorphic code, the virus has to have a

26
polymorphic engine (also called mutating engine or mutation engine) somewhere in its
encrypted body. See Polymorphic code for technical detail on how such engines operate.

Some viruses employ polymorphic code in a way that constrains the mutation rate of the
virus significantly. For example, a virus can be programmed to mutate only slightly over
time, or it can be programmed to refrain from mutating when it infects a file on a
computer that already contains copies of the virus. The advantage of using such slow
polymorphic code is that it makes it more difficult for anti-virus professionals to obtain
representative samples of the virus, because bait files that are infected in one run will
typically contain identical or similar samples of the virus. This will make it more likely
that the detection by the virus scanner will be unreliable, and that some instances of the
virus may be able to avoid detection.

5.6.Metamorphic code

To avoid being detected by emulation, some viruses rewrite themselves completely each
time they are to infect new executables. Viruses that use this technique are said to be
metamorphic. To enable metamorphism, a metamorphic engine is needed. A
metamorphic virus is usually very large and complex. For example, W32/Simile
consisted of over 14000 lines of Assembly language code, 90% of which is part of the
metamorphic engine.

6. Vulnerability and countermeasures

6.1.Vulnerability

In computer security, the term vulnerability is applied to a weakness in a system which

allows an attacker to violate the integrity of that system. Vulnerabilities may result from
weak passwords, software bugs, a computer virus or other malware, a script code
injection, or a SQL injection.

A security risk is classified as vulnerability if it is recognized as a possible means of

attack. A security risk with one or more known instances of working and fully-
implemented attacks is classified as an exploit.

27
Constructs in programming languages that are difficult to use properly can be a large
source of vulnerabilities.

6.1.1.Causes of Vulnerability

• Password Management Flaws: The computer user uses weak passwords that
could be discovered by brute force. The computer user stores the password on the
computer where a program can access it. Users re-use passwords between many
programs and websites.

• Fundamental Operating System Design Flaws: The operating system designer

chooses to enforce sub optimal policies on user/program management. For
example operating systems with policies such as default permit grant every
program and every user full access to the entire computer. This operating system
flaw allows viruses and malware to execute commands on behalf of the
administrator.

• Software Bugs: The programmer leaves an exploitable bug in a software

program. The software bug may allow an attacker to misuse an application
through (for *Unchecked User Input – The program assumes that all user input
is safe. Programs that do not check user input can allow unintended direct
execution of commands or SQL statements (known as Buffer overflows, SQL
injection or other non-validated inputs)).

6.1.2.Identifying and removing vulnerabilities

Many software tools exist that can aid in the discovery (and sometimes removal) of
vulnerabilities in a computer system. Though these tools can provide an auditor with a
good overview of possible vulnerabilities present, they can not replace human judgment.
Relying solely on scanners will yield false positives and a limited-scope view of the
problems present in the system.

Vulnerabilities have been found in every major operating system including Windows,
Mac OS, various forms of UNIX and Linux, OpenVMS, and others. The only way to

28
reduce the chance of a vulnerability being used against a system is through constant
vigilance, including careful system maintenance (e.g. applying software patches), best
practices in deployment (e.g. the use of firewalls and access controls) and auditing (both
during development and throughout the deployment lifecycle).

6.2.The vulnerability of operating systems to viruses

Just as genetic diversity in a population decreases the chance of a single disease wiping
out a population, the diversity of software systems on a network similarly limits the
destructive potential of viruses.

This became a particular concern in the 1990s, when Microsoft gained market dominance
in desktop operating systems and office suites. The users of Microsoft software
(especially networking software such as Microsoft Outlook and Internet Explorer) are
especially vulnerable to the spread of viruses. Microsoft software is targeted by virus
writers due to their desktop dominance, and is often criticized for including many errors
and holes for virus writers to exploit. Integrated and non-integrated Microsoft
applications (such as Microsoft Office) and applications with scripting languages with
access to the file system (for example Visual Basic Script (VBS), and applications with
networking features) are also particularly vulnerable.

Although Windows is by far the most popular operating system for virus writers, some
viruses also exist on other platforms. Any operating system that allows third-party
programs to run can theoretically run viruses. Some operating systems are less secure
than others. Unix-based OS's (and NTFS-aware applications on Windows NT based
platforms) only allow their users to run executables within their own protected memory
space.

An Internet based research revealed that there were cases when people willingly pressed
a particular button to download a virus. Security analyst Didier Stevens ran a half year
advertising campaign on Google AdWords which said "Is your PC virus-free? Get it
infected here!” The result was 409 clicks.

29
As of 2006, there are relatively few security exploits targeting Mac OS X (with a Unix-
based file system and kernel). The number of viruses for the older Apple operating
systems, known as Mac OS Classic, varies greatly from source to source, with Apple
stating that there are only four known viruses, and independent sources stating there are
as many as 63 viruses. It is safe to say that Macs are less likely to be targeted because of
low market share and thus a Mac-specific virus could only infect a small proportion of
computers (making the effort less desirable). Virus vulnerability between Macs and
Windows is a chief selling point, one that Apple uses in their Get Mac advertising.

Windows and UNIX have similar scripting abilities, but while UNIX natively blocks
normal users from having access to make changes to the operating system environment,
older copies of Windows such as Windows 95 and 98 do not. In 1997, when a virus for
Linux was released – known as "Bliss" – leading antivirus vendors issued warnings that
Unix-like systems could fall prey to viruses just like Windows. The Bliss virus may be
considered characteristic of viruses – as opposed to worms – on UNIX systems. Bliss
requires that the user run it explicitly (so it is a Trojan), and it can only infect programs
that the user has the access to modify. Unlike Windows users, most UNIX users do not
log in as an administrator user except to install or configure software; as a result, even if a
user ran the virus, it could not harm their operating system. The Bliss virus never became
widespread, and remains chiefly a research curiosity. Its creator later posted the source
code to Usenet, allowing researchers to see how it worked.

6.3.Role of software development

Because software is often designed with security features to prevent unauthorized use of
system resources, many viruses must exploit software bugs in a system or application to
spread. Software development strategies that produce large numbers of bugs will
generally also produce potential exploits.

30
6.4.Anti-virus software and other preventive measures

Many users install anti-virus software that can detect and eliminate known viruses after
the computer downloads or runs the executable. There are two common methods that an
anti-virus software application uses to detect viruses. The first, and by far the most
common method of virus detection are using a list of virus signature definitions. This
works by examining the content of the computer's memory (its RAM, and boot sectors)
and the files stored on fixed or removable drives (hard drives, floppy drives), and
comparing those files against a database of known virus "signatures". The disadvantage
of this detection method is that users are only protected from viruses that pre-date their
last virus definition update. The second method is to use a heuristic algorithm to find
viruses based on common behaviors. This method has the ability to detect viruses that
anti-virus security firms have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and received e-
mails 'on the fly' in a similar manner. This practice is known as "on-access scanning."
Anti-virus software does not change the underlying capability of host software to transmit
viruses. Users must update their software regularly to patch security holes. Anti-virus
software also needs to be regularly updated in order to prevent the latest threats.

One may also minimize the damage done by viruses by making regular backups of data
(and the Operating Systems) on different media, that are either kept unconnected to the
system (most of the time), read-only or not accessible for other reasons, such as using
different file systems. This way, if data is lost through a virus, one can start again using
the backup (which should preferably be recent). A notable exception to this rule is the
Gammima virus, which propagates via infected removable media (specifically flash
drives). If a backup session on optical media like CD and DVD is closed, it becomes
read-only and can no longer be affected by a virus (so long as a virus or infected file was
not copied onto the CD/DVD). Likewise, an Operating System on a bootable can be used
to start the computer if the installed Operating Systems become unusable. Another
method is to use different Operating Systems on different file systems. A virus is not
likely to affect both. Data backups can also be put on different file systems. For example,

31
Linux requires specific software to write to NTFS partitions, so if one does not install
such software and uses a separate installation of MS Windows to make the backups on an
NTFS partition, the backup should remain safe from any Linux viruses. Likewise, MS
Windows can not read file systems like ext3, so if one normally uses MS Windows, the
backups can be made on an ext3 partition using a Linux installation.

6.5.Recovery methods

Once a computer has been compromised by a virus, it is usually unsafe to continue using
the same computer without completely reinstalling the operating system. However, there
are a number of recovery options that exist after a computer has a virus. These actions
depend on severity of the type of virus.

6.5.1.Virus removal

One possibility on Windows Me, Windows XP and Windows Vista is a tool known as
System Restore, which restores the registry and critical system files to a previous
checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will
render a system restore point from the same day corrupt. Restore points from previous
days should work provided the virus is not designed to corrupt the restore files or also
exists in previous restore points. Some viruses, however, disable system restore and other
important tools such as Task Manager and Command Prompt. An example of a virus that
does this is CiaDoor.

Administrators have the option to disable such tools from limited users for various
reasons. The virus modifies the registry to do the same, except, when the Administrator is
controlling the computer, it blocks all users from accessing the tools. When an infected
tool activates it gives the message "Task Manager has been disabled by your
administrator.", even if the user trying to open the program is the administrator.

Users running a Microsoft operating system can access Microsoft's website to run a free
scan, provided they have their 20-digit registration number.

32
6.5.2.Operating system reinstallation

Reinstalling the operating system is another approach to virus removal. It involves simply
reformatting the OS partition and installing the OS from its original media, or imaging
the partition with a clean backup image (taken with Ghost or Acronis for example).

This method has the benefits of being simple to do, can be faster than running multiple
anti-virus scans, and is guaranteed to remove any malware. Downsides include having to
reinstall all other software as well as the operating system. User data can be backed up by
booting off of a Live CD or putting the hard drive into another computer and booting
from the other computer's operating system (though care must be taken not to transfer the
virus to the new computer).

7. Attack tree

Attack trees are conceptual diagrams of threats on computer systems and possible
attacks to reach those threats. The concept was suggested by Bruce Schneier, CIO of
Counterpane Internet Security. Attack trees are similar to threat trees. Threat trees have
been discussed by Edward Amoroso.

7.1.Basic

Attack trees are multi-leveled diagrams consisting of one root, leaves, and children. From
the bottom up, child nodes are conditions which must be satisfied to make the direct
parent node true; when the root is satisfied, the attack is complete. Each node may be
satisfied only by its direct child nodes.

A node may be the child of another node; in such a case, it becomes logical that multiple
steps must be taken to carry out an attack. For example, consider classroom computers
which are secured to the desks. To steal one, the securing cable must be cut or the lock
unlocked. The lock may be unlocked by picking or by obtaining the key. The key may be
obtained by threatening a key holder, bribing a keyholder, or taking it from where it is

33
stored (e.g. under a mouse mat). Thus a four level attack tree can be drawn, of which one
path is (Bribe Keyholder, Obtain Key, Unlock Lock, and Steal Computer).

Note also that an attack described in a node may require one or more of many attacks
described in child nodes to be satisfied. Our above condition shows only OR conditions;
however, an AND condition can be created, for example, by assuming an electronic alarm
which must be disabled if and only if the cable will be cut. Rather than making this task a
child node of cutting the lock, both tasks can simply reach a summing junction. Thus the
path ((Disable Alarm,Cut Cable),Steal Computer) is created.

Attack trees are related to the established fault tree formalism. Fault tree methodology
employs Boolean expressions to gate conditions when parent nodes are satisfied by leaf
nodes. By including apriori probabilities with each node, it is possible to perform
calculate probabilities with higher nodes using Bayes Rule. However, in reality accurate
probability estimates are either unavailable or too expensive to gather. With respect to
computer security with active participants (i.e., attackers), the probability distribution of
events are probably not independent nor uniformly distributed, hence, naive Bayesian
analysis is unsuitable.

Attack tree for computer viruses. Here we assume a system such as Windows NT, where not all users have
full system access. All child nodes operate on OR conditions.

34
7.2.Examination

Attack trees can become largely complex, especially when dealing with specific attacks.
A full attack tree may contain hundreds or thousands of different paths all leading to
completion of the attack. Even so, these trees are very useful for determining what threats
exist and how to deal with them.

Attack trees can lend themselves to defining an information assurance strategy. It is

important to consider, however, that implementing policy to execute this strategy changes
the attack tree. For example, computer viruses may be protected against by refusing the
system administrator access to directly modify existing programs and program folders,
instead requiring a package manager be used. This adds to the attack tree the possibility
of design flaws or exploits in the package manager.

One could observe that the most effective way to mitigate a threat on the attack tree is to
mitigate it as close to the root as possible. Although this is theoretically sound, it is not
usually possible to simply mitigate a threat without other implications to the continued
operation of the system. For example, the threat of viruses infecting a Windows system
may be largely reduced by using NTFS instead of FAT file system so that normal users
are unable to modify installed programs. Implementing this negates any possible way,
foreseen or unforeseen, that a normal user may come to infect the system with a virus;
however, it also requires that users switch to an administrative account to carry out
administrative tasks, thus creating a different set of threats on the tree and more
operational overhead.

8. Adware, Malware, and keystroke logging

8.1.Adware

Adware or advertising-supported software is any software package which

automatically plays, displays, or downloads advertisements to a computer after the
software is installed on it or while the application is being used. Some types of adware

35
are also spyware and can be classified as privacy-invasive software. The authors of these
applications include additional code that delivers the ads, which can be viewed through
pop-up windows or through a bar that appears on a computer screen. The justification for
adware is that it helps recover programming development cost and helps to hold down the
cost for the user.

Adware has been criticized because it usually includes code that tracks a user's personal
information and passes it on to third parties, without the user's authorization or
knowledge. This practice has been dubbed spyware and has prompted an outcry from
computer security and privacy advocates, including the Electronic Privacy Information
Center.

Noted privacy software expert Steve Gibson of Gibson Research explains: "Spyware is
any software (that) employs a user's Internet connection in the background (the so-called
'backchannel') without their knowledge or explicit permission. Silent background use of
an Internet 'backchannel' connection must be preceded by a complete and truthful
disclosure of proposed backchannel usage, followed by the receipt of explicit, informed
consent for such use. Any software communicating across the Internet absent of these
elements is guilty of information theft and is properly and rightfully termed: Spyware."

Some adware is also shareware, and so the word may be used as term of distinction to
differentiate between types of shareware software. What differentiates adware from other
shareware is that it is primarily advertising-supported. Users may also be given the option
to pay for a "registered" or "licensed" copy to do away with the advertisements.

Adware can also download and install PUPs.

8.1.1.Prevention and detection

Programs have been developed to detect, quarantine, and remove spyware. As there are
many examples of adware software that are also spyware or malware, many of these
detection programs have been developed to detect, quarantine, and remove adware as
well. Among the more prominent of these applications are Ad-Aware and Spybot - Search

36
& Destroy. These programs are designed specifically for spyware detection and will not
detect viruses, although some commercial antivirus software can also detect adware and
spyware, or offer a separate spyware detection package.

8.2.Malware

Malware, a portmanteau from the words malicious and software, is software designed to
infiltrate or damage a computer system without the owner's informed consent. The
expression is a general term used by computer professionals to mean a variety of forms of
hostile, intrusive, or annoying software or program code. The term "computer virus" is
sometimes used as a catch-all phrase to include all types of malware, including true
viruses.

Software is considered malware based on the perceived intent of the creator rather than
any particular features. Malware includes computer viruses, worms, Trojan horses, most
rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted
software. In law, malware is sometimes known as a computer contaminant, for instance
in the legal codes of several American states, including California and West Virginia.

Malware is not the same as defective software, that is, software which has a legitimate
purpose but contains harmful bugs.

Preliminary results from Symantec published in 2008 suggested that "the release rate of
malicious code and other unwanted programs may be exceeding that of legitimate
software applications." According to F-Secure, "As much malware was produced in 2007
as in the previous 20 years altogether". Malware's most common pathway from criminals
to users is through the Internet, by email and the World Wide Web.

8.2.1.Malware Classification

• Infectious malware: viruses and worms

37
The best-known types of malware, viruses and worms, are known for the manner in
which they spread, rather than any other particular behavior. The term computer virus is
used for a program which has infected some executable software and which causes that
software, when run, to spread the virus to other executable software. Viruses may also
contain a payload which performs other actions, often malicious. A worm, on the other
hand, is a program which actively transmits itself over a network to infect other
computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to spread,
whereas a worm spreads automatically. Using this distinction, infections transmitted by
email or Microsoft Word documents, which rely on the recipient opening a file or email
to infect the system, would be classified as viruses rather than worms.

Some writers in the trade and popular press appear to misunderstand this distinction, and
use the terms interchangeably.

• Concealment: Trojan horses, rootkits, and backdoors

Trojan horses

For a malicious program to accomplish its goals, it must be able to do so without being
shut down, or deleted by the user or administrator of the computer it's running on.
Concealment can also help get the malware installed in the first place. When a malicious
program is disguised as something innocuous or desirable, users may be tempted to
install it without knowing what it does. This is the technique of the Trojan horse or
Trojan.

Broadly speaking, a Trojan horse is any program that invites the user to run it, but
conceals a harmful or malicious payload. The payload may take effect immediately and
can lead to many undesirable effects, such as deleting all the user's files, or more
commonly it may install further harmful software into the user's system to serve the
creator's longer-term goals. Trojan horses known as droppers are used to start off a worm
outbreak, by injecting the worm into users' local networks.

38
One of the most common ways that spyware is distributed is as a Trojan horse, bundled
with a piece of desirable software that the user downloads from the Internet. When the
user installs the software, the spyware is installed alongside. Spyware authors who
attempt to act in a legal fashion may include an end-user license agreement which states
the behavior of the spyware in loose terms, and which the users are unlikely to read or
understand.

Rootkits

Once a malicious program is installed on a system, it is often useful to the creator if it

stays concealed. The same is true when a human attacker breaks into a computer directly.
Techniques known as rootkits allow this concealment, by modifying the host operating
system so that the malware is hidden from the user. Rootkits can prevent a malicious
process from being visible in the system's list of processes, or keep its files from being
read. Originally, a rootkit was a set of tools installed by a human attacker on a UNIX
system where the attacker had gained administrator (root) access. Today, the term is used
more generally for concealment routines in a malicious program.

Some malicious programs contain routines to defend against removal: not merely to hide
themselves, but to repel attempts to remove them. An early example of this behavior is
recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing
system:

“Each ghost-job would detect the fact that the other had been killed, and would
start a new copy of the recently slain program within a few milliseconds. The only
way to kill both ghosts was to kill them simultaneously (very difficult) or to
deliberately crash the system.”

Similar techniques are used by some modern malware, wherein the malware starts a
number of processes which monitor one another and restart any process which is killed
off by the operator.

39
 Backdoors

A backdoor is a method of bypassing normal authentication procedures. Once a system

has been compromised (by one of the above methods, or in some other way), one or more
backdoors may be installed, in order to allow the attacker access in the future. The idea
has often been suggested that computer manufacturers preinstall backdoors on their
systems to provide technical support for customers, but this has never been reliably
verified. Crackers typically use backdoors to secure remote access to a computer, while
attempting to remain hidden from casual inspection. To install backdoors crackers may
use Trojan horses, worms, or other methods.

• Malware for profit: spyware, botnets, keystroke loggers, and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious programs
were created as a form of vandalism or prank (although some viruses were spread only to
discourage users from illegal software exchange.) More recently, the greater share of
malware programs have been written with a financial or profit motive in mind. This can
be taken as the malware authors' choice to monetize their control over infected systems:
to turn that control into a source of revenue.

Since 2003 or so, the most costly form of malware in terms of time and money spent in
recovery has been the broad category known as spyware. Spyware programs are
commercially produced for the purpose of gathering information about computer users,
showing them pop-up ads, or altering web-browser behavior for the financial benefit of
the spyware creator. For instance, some spyware programs redirect search engine results
to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate
marketing codes so that revenue goes to the spyware creator rather than the intended
recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They
differ in that their creators present themselves openly as businesses, for instance by
selling advertising space on the pop-ups created by the malware. Most such programs
present the user with an end-user license agreement which purportedly protects the

40
creator from prosecution under computer contaminant laws. However, spyware EULAs
have not yet been upheld in court.

Another way that financially-motivated malware creators can profit from their infections
is to directly use the infected computers to do work for the creator. Spammer viruses,
such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs.
The infected computers are used as proxies to send out spam messages. The advantage to
spammers of using infected computers is that they are available in large supply (thanks to
the virus) and they provide anonymity, protecting the spammer from prosecution.
Spammers have also used infected PCs to target anti-spam organizations with distributed
denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used
coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an
Internet Relay Chat channel or other chat system. The attacker can then give instructions
to all the infected systems simultaneously. Botnets can also be used to push upgraded
malware to the infected systems, keeping them resistant to anti-virus software or other
security measures.

Lastly, it is possible for a malware creator to profit by simply stealing from the person
whose computer is infected. Some malware programs install a key logger, which copies
down the user's keystrokes when entering a password, credit card number, or other
information that may be useful to the creator. This is then transmitted to the malware
creator automatically, enabling credit card fraud and other theft. Similarly, malware may
copy the CD key or password for online games, allowing the creator to steal accounts or
virtual items.

Another way of stealing money from the infected PC owner is to take control of the
modem and dial an expensive toll call. Dialer software dials up a premium-rate telephone
number such as a U.S. "900 number" and leave the line open, charging the toll to the
infected user.

• Data-stealing malware

41
Data-stealing malware is a web threat that divests victims of personal and proprietary
information with the intent of monetizing stolen data through direct use or underground
distribution. Content security threats that fall under this umbrella include keyloggers,
screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to
activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these
threats result in file download or direct installation, as most hybrid attacks do, files that
act as agents to proxy information will fall into the data-stealing malware category.

 Characteristics of data-stealing malware

o Does not leave traces of the event
 The malware is typically stored in the local cache which is
routinely flushed
 The malware may be installed via a drive-by-download process
 The website hosting the malware as well as the malware is
generally temporary or rogue
o Frequently changes and extends its functions
 It is difficult for antivirus software to detect final payload attributes
due to the combinations of malware components
 The malware uses multiple file encryption levels
 Malware kits sold via underground forums are able to generate
different files on-the-fly
o Thwarts Intrusion Detection Systems (IDS) after successful
installation
 There are no perceivable network anomalies
 The malware hides in web traffic
 The malware is stealthier in terms of traffic and resource use
o Thwarts disk encryption
 Data is stolen during decryption and display
 The malware can monitor keystrokes and passwords
o Thwarts Data Loss Prevention (DLP)

42
  Leakage protection hinges on metadata tagging, not everything is
tagged
 Miscreants can use encryption to port data

8.2.2.Vulnerability to malware

In this context, as throughout, it should be borne in mind that the “system” under attack
may be of various types, e.g. a single computer and operating system, a network or an
application.

Various factors make a system more vulnerable to malware:

• Homogeneity – e.g. when all computers in a network run the same OS, if you can
hack that OS, you can break into any computer running it.
• Defects – most systems containing errors which may be exploited by malware.
• Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be
executed without the user’s agreement.
• Over-privileged users – some systems allow all users to modify their internal
structures.
• Over-privileged code – most popular systems allow code executed by a user all
rights of that user.

An often cited cause of vulnerability of networks is homogeneity or software

monoculture. In particular, Microsoft Windows has such a large share of the market that
concentrating on it will enable a cracker to subvert a large number of systems.
Introducing inhomogeneity purely for the sake of robustness would however bring high
costs in terms of training and maintenance.

Most systems contain bugs which may be exploited by malware. A typical example is the
buffer overrun, in which an interface designed to store data in a small area of memory
allows the caller to supply more data than will fit. This extra data then overwrites the
interface's own structure. In this way malware can force the system to execute malicious
code, by replacing legitimate code with its own payload.

43
Originally, PCs had to be booted from floppy disks, and until recently it was common for
this to be the default boot device. This meant that a corrupt floppy disk could subvert the
computer during booting, and the same applies to CDs. Although that is now less
common, it is still possible to forget that one has changed the default, and rare that a
BIOS makes one confirm a boot from removable media.

In some systems, non-administrator users are over-privileged by design, in the sense

that they are allowed to modify internal structures of the system. In some environments,
users are over-privileged because they have been inappropriately granted administrator or
equivalent status. This is a primarily a configuration decision, but on Microsoft Windows
systems the default configuration is to over-privilege the user. This situation exists due to
decisions made by Microsoft to prioritize compatibility with older systems above security
configuration in newer systems and because typical applications were developed without
the under-privileged users in mind. As privilege escalation exploits have increased this
priority is shifting for the release of Microsoft Windows Vista. As a result, many existing
applications that require excess privilege (over-privileged code) may have compatibility
problems with Vista. However, Vista's User Account Control feature attempts to remedy
applications not designed for under-privileged users through virtualization, acting as a
crutch to resolve the privileged access problem inherent in legacy applications.

Malware, running as over-privileged code, can use this privilege to subvert the system.
Almost all currently popular operating systems and also many scripting applications
allow code too many privileges, usually in the sense that when a user executes code, the
system allows that code all rights of that user. This makes users vulnerable to malware in
the form of e-mail attachments, which may or may not be disguised.

Given this state of affairs, users are warned only to open attachments they trust, and to be
wary of code received from un-trusted sources. It is also common for operating systems
to be designed so that device drivers need escalated privileges, while they are supplied by
more and more hardware manufacturers, some of whom may be unreliable.

8.2.3.Anti-malware programs

44
As malware attacks become more frequent, attention has begun to shift from viruses and
spyware protection, to malware protection, and programs have been developed to
specifically combat them.

Anti-malware programs can combat malware in two ways:

1. They can provide real time protection against the installation of malware software
on a computer. This type of spyware protection works the same way as that of
anti-virus protection in that the anti-malware software scans all incoming network
data for malware software and blocks any threats it comes across.
2. Anti-malware software programs can be used solely for detection and removal of
malware software that has already been installed onto a computer. This type of
malware protection is normally much easier to use and more popular[citation needed]. This
type of anti-malware software scans the contents of the windows registry,
operating system files, and installed programs on a computer and will provide a
list of any threats found, allowing the user to choose what which files to delete or
keep, or compare this list to a list of known malware components, removing files
which match.

Real-time protection from malware works identically to real-time anti-virus protection:

the software scans disk files at download time, and blocks the activity of components
known to represent malware. In some cases, it may also intercept attempts to install start-
up items or to modify browser settings. Because many malware components are installed
as a result of browser exploits or user error, using security software (some of which are
anti-malware, though many are not) to "sandbox" browsers (essentially babysit the user
and their browser) can also be effective to help restrict any damage done.

8.3.Keystroke logging

Keystroke logging (often called keylogging) is a method of capturing and recording user
keystrokes. The technique and name came from before the era of the graphical user
interface; loggers nowadays would expect to capture mouse operations as well.
Keylogging can be useful to determine sources of errors in computer systems, to study

45
how users interact and access with systems, and is sometimes used to measure employee
productivity on certain clerical tasks. Such systems are also highly useful for both law
enforcement and law-breaking—for instance, providing a means to obtain passwords or
encryption keys and thus bypassing other security measures. Keyloggers are widely
available on the Internet.

There are currently two types of keylogging methods, hardware and software based.

8.3.1.Keystroke Application

Keystroke logging can be achieved by both hardware and software means. Hardware key
loggers are commercially available devices which come in three types: inline devices that
are attached to the keyboard cable, devices which can be installed inside standard
keyboards, and actual replacement keyboards that contain the key logger already built-in.
The inline devices have the advantage of being able to be installed instantly on desktop
computers without integrated keyboards.

When used covertly, inline devices are easily detected by a glance at the keyboard
connector plugged into the computer. Of the three types, the most difficult to install is
also the most difficult to detect. The device that installs inside a keyboard (presumably
the keyboard the target has been using all along) requires soldering skill and extended
access to the keyboard to be modified. However, once in place, this type of device is
virtually undetectable unless specifically looked for.

8.3.2.Types of keystroke loggers

1. Local Machine software Keyloggers are software programs that are designed to
work on the target computer’s operating system. From a technical perspective there
are four categories:

• Hypervisor-based: The keylogger resides in a malware hypervisor running

underneath the operating system, which remains untouched, except that it
effectively becomes a virtual machine. See Blue Pill for a conceptual example.

46
 • Kernel based: This method is difficult both to write and to combat. Such
keyloggers reside at the kernel level and are thus difficult to detect, especially for
user-mode applications. They are frequently implemented as rootkits that subvert
the operating system kernel and gain unauthorized access to the hardware which
makes them very powerful. A keylogger using this method can act as a keyboard
driver for example, and thus gain access to any information typed on the keyboard
as it goes to the operating system.
• Hook based: Such keyloggers hook the keyboard with functions provided by the
operating system. The operating system warns them any time a key is pressed and
it records it.
• Passive Methods: Here the coder uses operating system APIs like
GetAsyncKeyState(), GetForegroundWindow(), etc. to poll the state of the
keyboard or to subscribe to keyboard events. These are the easiest to write, but
where constant polling of each key is required, they can cause a noticeable
increase in CPU usage and can miss the occasional key. A more recent example
simply polls the BIOS for preboot authentication PINs that have not been cleared
from memory.
• Form Grabber based logs web form submissions by recording the web browsing
.on submit event functions. This records form data before it is passed over the
internet and bypasses https encryption.

2. Remote Access software Keyloggers are local software keyloggers programmed

with an added feature to transmit recorded data out of the target computer and make
the data available to the monitor at a remote location. Remote communication is
facilitated by one of four methods:

• Data is uploaded to a website or an ftp account.

• Data is periodically emailed to a pre-defined email address.
• Data is wirelessly transmitted by means of an attached hardware system.
• It allows the monitor to log into the local machine via the internet or Ethernet and
access the logs stored on the target machine.

47
3. Hardware Keyloggers are used for keystroke logging by means of a hardware circuit
that is attached somewhere in between the computer keyboard and the computer. It
logs all keyboard activity to its internal memory, which can subsequently be accessed,
for example, by typing in a secret key. A hardware keylogger has an advantage over a
software solution; because it is not dependent on the computer's operating system, it
will not interfere with any program running on the target machine and hence cannot
be detected by any software; however its physical presence may be detected.

4. Remote Access Hardware Keyloggers, otherwise known as Wireless Hardware

Keyloggers, work in much the same way as regular hardware keyloggers, except they
have the ability to be controlled and monitored remotely by means of a wireless
communication standard.

5. Wireless Keylogger sniffers collect packets of data being transferred from a wireless
keyboard and its receiver and then attempts to crack the encryption key being used to
secure wireless communications between the two devices.

6. Acoustic Keyloggers work by analyzing a recording of the sound created by

someone typing on a computer. Each character on the keyboard makes a subtly
different acoustic signature when stroked. Using statistical methods, it is then possible
to identify which keystroke signature relates to which keyboard character. This is
done by analyzing the repetition frequency of similar acoustic keystroke signatures,
the timings between different keyboard strokes and other context information such as
the probable language in which the user is writing. A fairly long recording (1000 or
more keystrokes) is required so that the statistics are meaningful.

7. Electromagnetic Radiation loggers work by passively capturing electromagnetic

emissions of a keyboard, without being physically wired to it.

8.3.3.Keylogger prevention

48
Currently there is no easy way to prevent keylogging. In the future, it is believed that
software with secure I/O will be protected from keyloggers. Until then, however, the best
strategy is to use common sense and a combination of several methods. It is possible to
use software to monitor the connectivity of the keyboard and log the absence as a
countermeasure against physical keyloggers. For a PS/2 keyboard, the timeout bit (BIT6
at port 100) has to be monitored. But this only makes sense when the PC is (nearly)
always on.

 Code signing

64-bit versions of Windows Vista and Server 2008 implement mandatory digital signing
of kernel-mode device drivers, thereby restricting the installation of key-logging rootkits.

 Monitoring what programs are running

A user should constantly observe what programs are installed and running on his or her
machine.

 Anti-spyware

Anti-spyware applications are able to detect many keyloggers and cleanse them.
Responsible vendors of monitoring software support detection by anti-spyware programs,
thus preventing abuse of the software.

 Firewall

Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission
of the logged material over the net if properly configured.

 Network monitors

Network monitors (also known as reverse-firewalls) can be used to alert the user
whenever an application attempts to make a network connection. This gives the user the
chance to prevent the keylogger from "phoning home" with his or her typed information.

49
 Automatic form filler programs

Automatic form-filling programs can prevent keylogging entirely by not using the
keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout
pages and log users into their accounts. Once the user's account and credit card
information has been entered into the program, it will be automatically entered into forms
without ever using the keyboard or clipboard, thereby reducing the possibility that private
data is being recorded. (Someone with access to browser internals and/or memory can
often still get to this information; if SSL is not used, network sniffers and proxy tools can
easily be used to obtain private information too.)

It is important to generate passwords in a fashion that is invisible to keyloggers and

screenshot utilities. Using a browser integrated form filler and password generator that
does not just pop up a password on the screen is therefore key. Programs that do this can
generate and fill passwords without ever using the keyboard or clipboard.

 Alternative keyboard layouts

Most keylogging hardware/software assumes that a person is using the standard

QWERTY keyboard layout, so by using a layout such as Dvorak, captured keystrokes are
nonsense unless converted. For additional security, custom keyboard layouts can be
created using tools like the Microsoft Keyboard Layout Creator.

 One-time passwords (OTP)

Using one-time passwords is completely keylogger-safe because the recorded password is

always invalidated right after it's used. This solution is useful if you are often using
public computers where you can't verify what is running on them. One-time passwords
also prevent replay attacks where an attacker uses the old information to impersonate.
One example is online banking where one-time passwords are implemented and prevents
the account from keylogging attacks as well as replay attacks.

50
 Smart cards

Because of the integrated circuit of smart cards, they are not affected by keylogger and
other logging attempts. A smart card can process the information and return back a
unique challenge every time you login. The information cannot usually be used to login
again.

 On-screen keyboards

o Program-to-program (non-web) keyboards

It is sometimes said that a third-party (or first party) on-screen keyboard program is a
good way to combat keyloggers, as it only requires clicks of the mouse. However, this is
not always true.

Most on screen keyboards (such as the onscreen keyboard that comes with Microsoft
Windows XP) send keyboard event messages to the external target program to type text.
Every software keylogger can log these typed characters sent from one program to
another. Additionally, some programs also record or take snapshots of what is displayed
on the screen (periodically, and/or upon each mouse click).

However, there are some on-screen keyboard programs that do offer some protection,
using other techniques described in this article (such as dragging and dropping the
password from the on-screen keyboard to the target program).

o Web-based keyboards

Web-based on-screen keyboards (written in Javascript, etc.) may provide some degree of
protection. At least some commercial keylogging programs do not record typing on a
web-based virtual keyboard. (Screenshot recorders are a concern whenever entire
passwords are displayed; fast recorders are generally required to capture a sequence of
virtual key presses.)

51
Notably, the game MapleStory uses, in addition to a standard alphanumeric password, a
4-digit PIN code secured by both on-screen keyboard entry and a randomly changing
button pattern; there is no real way to get the latter information without logging the
screen and mouse movements; another MMORPG called RuneScape makes a similar
system available for players to protect their in-game bank accounts.

 Anti-keylogging software

Keylogger detection software is also available. Some of this type of software use
"signatures" from a list of all known keyloggers. The PC's legitimate users can then
periodically run a scan from this list, and the software looks for the items from the list on
the hard-drive. One drawback of this approach is that it only protects from keyloggers on
the signature-based list, with the PC remaining vulnerable to other keyloggers.

Other detection software doesn't use a signature list, but instead analyzes the working
methods of many modules in the PC, allowing it to block the work of many different
types of keylogger. One drawback of this approach is that it can also block legitimate,
non-keylogging software. Some heuristics-based anti-keyloggers have the option to
unblock known good software, but this can cause difficulties for inexperienced users.

 Speech recognition

Similar to on-screen keyboards, speech-to-text conversion software can also be used

against keyloggers, since there are no typing or mouse movements involved. The weakest
point of using voice-recognition software may be how the software sends the recognized
text to target software after the recognition took place.

 Handwriting recognition and mouse gestures

Also, many PDAs and lately Tablet PCs can already convert pen (also called stylus)
movements on their touchscreens to computer understandable text successfully. Mouse
gestures utilize this principle by using mouse movements instead of a stylus. Mouse
gesture programs convert these strokes to user-definable actions, among others typing

52
text. Similarly, graphics tablets and light pens can be used to input these gestures,
however, these are getting used less commonly everyday.

The same potential weakness of speech recognition applies to this technique as well.

 Macro expanders/recorders

With the help of many Freeware/Shareware programs, a seemingly meaningless text can
be expanded to a meaningful text and most of the time context-sensitively, e.g. "we" can
be expanded "en.Wikipedia.org" when a browser window has the focus. The biggest
weakness of this technique is that these programs send their keystrokes directly to the
target program. However, this can be overcome by using the 'alternating' technique
described below, i.e. sending mouse clicks to non-responsive areas of the target program,
sending meaningless keys, sending another mouse click to target area (e.g. password
field) and switching back and forth.

 Window transparency

Using many readily available utilities, the target window could be made temporarily
transparent, in order to hinder screen-capturing by advanced keyloggers. Although not a
fool-proof technique against keyloggers on its own, this could be used in combination
with other techniques.

 Non-technological methods

Some keyloggers can be fooled by alternating between typing the login credentials and
typing characters somewhere else in the focus window. Similarly, a user can move their
cursor using the mouse during typing, causing the logged keystrokes to be in the wrong
order e.g. by typing a password beginning with the last letter and then using the mouse to
move the cursor for each subsequent letter. Lastly, someone can also use context menus
to remove, copy, cut and paste parts of the typed text without using the keyboard.

53
Another very similar technique utilizes the fact that any selected text portion is replaced
by the next key typed. E.g. if the password is "secret", one could type "s", then some
dummy keys "asdfsd". Then these dummies could be selected with mouse, and next
character from the password "e" is typed, which replaces the dummies "asdfsd".

9. Virus Prevention Tools, Tips, and Tricks

Antivirus software is must-have protection. Keep it installed, enabled, and up-to-date at

all times. But though antivirus software is critical, alone it's not enough to keep you
protected. Follow sound security practices, install a firewall, and use other adjunct
protection in combination with your own common sense.

9.1.Tools

9.1.1.Antivirus

Antivirus software (or anti-virus) is computer software used to identify and remove
computer viruses, as well as many other types of harmful computer software, collectively
referred to as malware. While the first antivirus software was designed exclusively to
combat computer viruses (hence "antivirus"), modern antivirus software can protect
computer systems against a wide range of malware, including worms, phishing attacks,
rootkits, and Trojans.

Φ Identification methods

There are several methods which antivirus software can use to identify malware.
Depending on the software, more than one method may be used.

 Signature based detection is the most common method that antivirus

software utilizes to identify malware. To identify viruses and other malware,
antivirus software compares the contents of a file to a dictionary of virus

54
 signatures. Because viruses can embed themselves in existing files, the entire
file is searched, not just as a whole, but also in pieces.
 Malicious activity detection is another way to identify malware. In this
approach, antivirus software monitors the system for suspicious program
behavior. If suspicious behavior is detected, the suspect program may be
further investigated, using signature based detection or another method listed
in this section. This type of detection can be used to identify unknown viruses.
 Heuristic-based detection is used by more advanced antivirus software. Like
malicious activity detection, heuristics can be used to identify unknown
viruses. This can be accomplished in one of two ways; file analysis and file
emulation. File analysis is the process of searching a suspect file for virus-
like instructions. For example, if a program has instructions to format the C
drive, antivirus software might further investigate the file. One downside to
this approach is that the computer may run slow if every file is analyzed. File
emulation is another heuristic approach. File emulation involves executing a
program in a virtual environment and logging what actions the program
performs. Depending on the actions logged, the antivirus software can
determine if the program is malicious or not and then carry out the appropriate
actions.

Signature based detection

Signature based detection is the most common method that antivirus software uses to
identify malware. This method is somewhat limited by the fact that it can only identify
known viruses, unlike other methods.

When antivirus software scans a file for viruses, it checks the contents of a file against a
dictionary of virus signatures. A virus signature is the viral code. So, saying you found a
virus signature in a file is the same as saying you found the virus itself. If a virus
signature is found in a file, the antivirus software can take action to remove the virus.
Antivirus software will usually perform one or more of the following actions;
quarantining, repairing, or deleting. Quarantining a file will make it inaccessible, and is

55
usually the first action antivirus software will take if a malicious file is found. Encrypting
the file is a good quarantining technique because it renders the file useless.

Sometimes a user wants to save the content of an infected file (because viruses can
sometimes embed themselves in files, called injection.) To do this, antivirus software will
attempt to repair the file. To do this, the software will try to remove the viral code from
the file. Unfortunately, some viruses might damage the file upon injection, which means
repairing will fail.

The third action antivirus software can take against a virus is deleting it. If a file repair
operation files, usually the best thing to do is to just delete the file. Deleting the file is
necessary if the entire file is a virus.

Because new viruses are being created each day, the signature based detection approach
requires frequent updates of the virus signature dictionary. To assist the antivirus software
companies, the software may allow the user to upload new viruses or variants to the
company. There, the virus can be analyzed and the signature added to the dictionary.

Signature-based antivirus software typically examines files when the computer's

operating system creates, opens, closes, or e-mails them. In this way it can detect a
known virus immediately upon receipt. System administrators can schedule antivirus
software to scan all files on the computer's hard disk at a set time and date.

Although the signature based approach can effectively contain virus outbreaks in the right
circumstances, virus authors have tried to stay a step ahead of such software by writing
"oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which
encrypt parts of themselves or otherwise modify themselves as a method of disguise, so
as to not match virus signatures in the dictionary.

An emerging technique to deal with malware in general is whitelisting. Rather than

looking for only known bad software, this technique prevents execution of all computer
code except that which has been previously identified as trustworthy by the system
administrator. By following this "default deny" approach, the limitations inherent in

56
keeping virus signatures up to date are avoided. Additionally, computer applications that
are unwanted by the system administrator are prevented from executing since they are not
on the whitelist. Since modern enterprise organizations have large quantities of trusted
applications, the limitations of adopting this technique rests with the system
administrators' ability to properly inventory and maintain the whitelist of trusted
applications. Viable implementations of this technique include tools for automating the
inventory and whitelist maintenance processes.

Suspicious behavior monitoring

The suspicious behavior approach, by contrast, does not attempt to identify known
viruses, but instead monitors the behavior of all programs. If one program tries to write
data to an executable program, for example, the antivirus software can flag this
suspicious behavior, alert a user, and ask what to do.

Unlike the signature based approach, the suspicious behavior approach therefore provides
protection against brand-new viruses that do not yet exist in any virus dictionaries.
However, it can also sound a large number of false positives, and users may become
desensitized to the warnings. If the user clicks "Accept" on every such warning, then the
antivirus software obviously gives no benefit to that user. This problem has worsened
since 1997, since many more non-malicious program designs came to modify other .exe
files without regard to this false positive issue. In recent years, however, sophisticated
behavior analysis has emerged, which analyzes processes and calls to the kernel in
context before making a decision, which gives it a lower false positive rate than rules
based behavior monitoring.

Heuristics

Some more sophisticated antivirus software uses heuristic analysis to identify new
malware. Two methods are used; file analysis and file emulation.

As described above, file analysis is the process by which antivirus software will analyze
the instructions of a program. Based on the instructions, the software can determine

57
whether or not the program is malicious. For example, if the file contains instructions to
delete important system files, the file might be flagged as a virus. While this method is
useful for identifying new viruses and variants, it can trigger many false alarms.

The second heuristic approach is file emulation. By this approach, the target file is run in
a virtual system environment, separate from the real system environment. The antivirus
software would then log what actions the file takes in the virtual environment. If the
actions are found to be damaging, the file will be marked a virus. But again, this method
can trigger false alarms.

Issues of concern

1. Performance

Some antivirus software can considerably reduce performance. Users may disable the
antivirus protection to overcome the performance loss, thus increasing the risk of
infection. For maximum protection, the antivirus software needs to be enabled all the
time — often at the cost of slower performance (see also software bloat).

2. Security

Antivirus programs can in themselves pose a security risk as they often run at the
'System' level of privileges and may hook the kernel - Both of these are necessary for the
software to effectively do its job but it has a major downside. This can mean exploitation
of the Antivirus program itself could lead to privilege escalation and create a severe
security threat. Arguably, use of Antivirus software when compared to Principle of least
privilege is largely ineffective when ramifications of the added software are taken into
account.

When purchasing antivirus software, the agreement may include a clause that the
subscription will be automatically renewed, and the purchaser's credit card automatically
billed, at the renewal time without explicit approval. For example, McAfee requires one
to unsubscribe at least 60 days before the expiration of the present subscription. Norton
Antivirus also renews subscriptions automatically by default.

58
Some antivirus programs are actually spyware masquerading as antivirus software. It is
best to double-check that the antivirus software which is being downloaded is actually a
real antivirus program.

Anti-virus manufacturers have been criticized for fear mongering by exaggerating the
risk that virus pose to consumers.

If an antivirus program is configured to immediately delete or quarantine infected files

(or does this by default), false positives in essential files can render the operating system
or some applications unusable.

3. System related issues

Running multiple antivirus programs concurrently can harm performance. It is sometimes

necessary to temporarily disable virus protection when installing major updates such as
Windows Service Packs or updating graphics card drivers. Active antivirus protection
may partially or completely prevent the installation of a major update.

9.1.2.Virus removal tools

A virus removal tool is software for removing specific viruses from infected computers.
Unlike complete antivirus scanners, they are usually not intended to detect and remove an
extensive list of viruses; rather they are designed to remove specific viruses, usually more
effectively than normal antivirus software. Examples of these tools include McAfee
Stinger and the Microsoft Malicious Software Removal Tool (which is run automatically
by Windows update). Many of these tools are available for free download.

These tools can sometimes do a better job of removing a specific virus than conventional
antivirus software.

9.1.3.Firewall

A firewall is an integrated collection of security measures designed to prevent

unauthorized electronic access to a networked computer system. It is also a device or set

59
of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic
between different security domains based upon a set of rules and other criteria.

A system designed to prevent unauthorized access to or from a private network. Firewalls

can be implemented in both hardware and software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from accessing private
networks connected to the Internet, especially intranets. All messages entering or leaving
the intranet pass through the firewall, which examines each message and blocks those
that do not meet the specified security criteria.

There are several types of firewall techniques:

1. Packets filter: Looks at each packet entering or leaving the network and accepts or
rejects it based on user-defined rules. Packet filtering is fairly effective and
transparent to users, but it is difficult to configure. In addition, it is susceptible to IP
spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as
FTP and Telnet servers. This is very effective, but can impose a performance
degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection
is established. Once the connection has been made, packets can flow between the
hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses.

Firewall Function

A firewall is a dedicated appliance, or software running on another computer, which

inspects network traffic passing through it, and denies or permits passage based on a set
of rules.

A firewall's basic task is to regulate some of the flow of traffic between computer
networks of different trust levels. Typical examples are the Internet which is a zone with

60
no trust and an internal network which is a zone of higher trust. A zone with an
intermediate trust level, situated between the Internet and a trusted internal network, is
often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A firewall's function within a network is similar to physical firewalls with fire doors in
building construction. In the former case, it is used to prevent network intrusion to the
private network. In the latter case, it is intended to contain and delay structural fire from
spreading to adjacent structures.

Without proper configuration, a firewall can often become worthless. Standard security
practices dictate a "default-deny" firewall ruleset, in which the only network connections
which are allowed are the ones that have been explicitly allowed. Unfortunately, such a
configuration requires detailed understanding of the network applications and endpoints
required for the organization's day-to-day operation. Many businesses lack such
understanding, and therefore implement a "default-allow" ruleset, in which all traffic is
allowed unless it has been specifically blocked. This configuration makes inadvertent
network connections and system compromise much more likely.

Firewall Generations

First generation - packet filters

The first paper published on firewall technology was in 1988, when engineers from
Digital Equipment Corporation (DEC) developed filter systems known as packet filter
firewalls. This fairly basic system was the first generation of what would become a highly
evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and
Steve Bellovin were continuing their research in packet filtering and developed a working
model for their own company based upon their original first generation architecture.

Packet filters act by inspecting the "packets" which represent the basic unit of data
transfer between computers on the Internet. If a packet matches the packet filter's set of
rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and
send "error responses" to the source).

61
This type of packet filtering pays no attention to whether a packet is part of an existing
stream of traffic (it stores no information on connection "state"). Instead, it filters each
packet based only on information contained in the packet itself (most commonly using a
combination of the packet's source and destination address, its protocol, and, for TCP and
UDP traffic, the port number).

TCP and UDP protocols comprise most communication over the Internet, and because
TCP and UDP traffic by convention uses well known ports for particular types of traffic,
a "stateless" packet filter can distinguish between, and thus control, those types of traffic
(such as web browsing, remote printing, email transmission, file transfer), unless the
machines on each side of the packet filter are both using the same non-standard ports.

Second generation - "stateful" filters

From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan
Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them
circuit level firewalls.

Second Generation firewalls in addition regard placement of each individual packet

within the packet series. This technology is generally referred to as a stateful packet
inspection as it maintains records of all connections passing through the firewall and is
able to determine whether a packet is either the start of a new connection, a part of an
existing connection, or is an invalid packet. Though there is still a set of static rules in
such a firewall, the state of a connection can in itself be one of the criteria which trigger
specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or
certain Denial-of-service attacks.

Third generation - application layer

Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T

Laboratories, and Marcus Ranum described a third generation firewall known as an
application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work

62
on the technology spearheaded the creation of the first commercial product. The product
was released by DEC who named it the DEC SEAL product. DEC’s first major sale was
on June 13, 1991 to a chemical company based on the East Coast of the USA.

TIS, under a broader DARPA contract, developed the Firewall Toolkit (FWTK), and
made it freely available under license on October 1, 1993. The purposes for releasing the
freely-available, not for commercial use, FWTK were: to demonstrate, via the software,
documentation, and methods used, how a company with (at the time) 11 years' experience
in formal security methods, and individuals with firewall experience, developed firewall
software; to create a common base of very good firewall software for others to build on
(so people did not have to continue to "roll their own" from scratch); and to "raise the
bar" of firewall software being used.

The key benefit of application layer filtering is that it can "understand" certain
applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it
can detect whether an unwanted protocol is being sneaked through on a non-standard port
or whether a protocol is being abused in any harmful way.

Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California
(USC) were refining the concept of a firewall. The product known as "Visas" was the first
system to have a visual integration interface with colours and icons, which could be
easily implemented to and accessed on a computer operating system such as Microsoft's
Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software
Technologies built this into readily available software known as FireWall-1.

The existing deep packet inspection functionality of modern firewalls can be shared by
Intrusion-prevention systems (IPS).

Currently, the Middlebox Communication Working Group of the Internet Engineering

Task Force (IETF) is working on standardizing protocols for managing firewalls and
other middleboxes.

63
 Types of Firewall

There are several classifications of firewalls depending on where the communication is

taking place, where the communication is intercepted and the state that is being traced.

Network layer and packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the
TCP/IP protocol stack, not allowing packets to pass through the firewall unless they
match the established rule set. The firewall administrator may define the rules; or default
rules may apply. The term "packet filter" originated in the context of BSD operating
systems.

Network layer firewalls generally fall into two sub-categories, stateful and stateless.
Stateful firewalls maintain context about active sessions, and use that "state information"
to speed packet processing. Any existing network connection can be described by several
properties, including source and destination IP address, UDP or TCP ports, and the
current stage of the connection's lifetime (including session initiation, handshaking, data
transfer, or completion connection). If a packet does not match an existing connection, it
will be evaluated according to the ruleset for new connections. If a packet matches an
existing connection based on comparison with the firewall's state table, it will be allowed
to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that require
less time to filter than to look up a session. They may also be necessary for filtering
stateless network protocols that have no concept of a session. However, they cannot make
more complex decisions based on what stage communications between hosts have
reached.

Modern firewalls can filter traffic based on many packet attributes like source IP address,
source port, destination IP address or port, destination service like WWW or FTP. They

64
can filter based on protocols, TTL values, netblock of originator, domain name of the
source, and many other attributes.

Commonly used packet filters on various versions of UNIX are ipf (various), ipfw
(FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), and iptables/ipchains (Linux).

Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all
browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or
from an application. They block other packets (usually dropping them without
acknowledgement to the sender). In principle, application firewalls can prevent all
unwanted outside traffic from reaching protected machines.

On inspecting all packets for improper content, firewalls can restrict or prevent outright
the spread of networked computer worms and Trojans. In practice, however, this becomes
so complex and so difficult to attempt (given the variety of applications and the diversity
of content each may allow in its packet traffic) that comprehensive firewall design does
not generally attempt this approach.

The XML firewall exemplifies a more recent kind of application-layer firewall.

Proxies

A proxy device (running either on dedicated hardware or as software on a general-

purpose machine) may act as a firewall by responding to input packets (connection
requests, for example) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult
and misuse of one internal system would not necessarily cause a security breach
exploitable from outside the firewall (as long as the application proxy remains intact and
properly configured). Conversely, intruders may hijack a publicly-reachable system and
use it as a proxy for their own purposes; the proxy then masquerades as that system to
other internal machines. While use of internal address spaces enhances security, crackers

65
may still employ methods such as IP spoofing to attempt to pass packets to a target
network.

Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts
protected behind a firewall commonly have addresses in the "private address range", as
defined in RFC 1918. Firewalls often have such functionality to hide the true address of
protected hosts. Originally, the NAT function was developed to address the limited
number of IPv4 routable addresses that could be used or assigned to companies or
individuals as well as reduce both the amount and therefore cost of obtaining enough
public addresses for every computer in an organization. Hiding the addresses of protected
devices has become an increasingly important defense against network reconnaissance.

Hardware Firewall

(RED) directly connected to un-trusted Internet

(ORANGE) the DMZ zone for Internet Servers
(GREEN) the internal protected LAN
(BLUE) the internal protected Wireless LAN

66
 Software Firewall

9.2.Virus Prevention Tips & Tricks

Antivirus software is only one component of a good security posture. Understand risky
behaviors and adopt good habits that will minimize your risk of infection.

9.2.1.Securing Outlook and Outlook Express

Securing your mail client is just one of the steps necessary to help prevent email worms
and viruses. If you have not already done so, visit the Email Help Center for tips on
spotting malicious attachments and the do's and don'ts of email security. Also see Why
Plain is better to understand the risks of HTML-rendered email. The steps below apply to
Outlook versions 2002, 2003, and 2007 and Outlook Express v6.0 and above. If you use
an older version, you may need to update your mail client in order to take advantage of
these important security features.

To configure Outlook Express to send and receive email in plain text only:

1. In Outlook Express, click Tools | Options

2. Select the Read tab and then select 'Read all messages in plain text'
3. Click the Send tab. Under 'Mail Sending Format' select "Plain text"
4. Click "Apply" then click "OK" to exit the menu.

67
To read messages in plain text in Microsoft Outlook 2003:

1. Open Outlook 2003 and click Tools | Options

2. Select Preferences | Email Options
3. Select "Read all standard mail in plain text"
4. Click OK to close the dialog box. Click OK again to close the menu.

To read messages in plain text in Microsoft Outlook 2007:

1. Open Outlook 2007 and click Tools | Trust Center

2. Select E-mail Security
3. Select "Read all standard mail in plain text"
4. Click OK to accept the change and close the menu.

Outlook 2002 email can also be read in plaintext, but require a registry edit in order to do
so. Microsoft has a Knowledgebase article that describes the necessary steps. For details,
see: Plain text email in Outlook 2002

To make Outlook/Outlook Express more secure:

• Disable all ActiveX and Java in the Restricted Sites zone. Do this from
Internet Explorer by selecting the following menu items:
Tools | Internet Options | Security | Restricted Sites | Custom Level
Note: Just setting the restrictions to High will not work. You must choose
Custom Level and scroll through the list disabling all options for scripting of
Java or ActiveX. If you are unable to follow this step, it may be a good idea
to ask an experienced friend for assistance.

After making the necessary modifications to Restricted Zones, you will need to add
Outlook or Outlook Express to this Zone.

68
 • Open Outlook Express or Outlook, Choose Tools | Options | Security
Select the Restricted Zone.

Make sure you have all applicable critical patches and updates applied to your system.
Visit the Windows Update site, choose Product Updates, and install any marked as
"Critical". You should check for updates monthly.

9.2.2.Securing Internet Explorer

Annoyed by pop-ups? Worried about "drive-by downloads" and spyware? Has your
Internet Explorer start page been taken hostage by an unwelcome site? Relax. Internet
Explorer has a built-in mechanism for controlling the Internet nastiest that threaten to
ruin your browsing experience. Best of all, it's free - all that's required is a little bit of
elbow grease.

To begin, ensure you have the latest version of Internet Explorer and that all necessary
patches and updates have been applied. To obtain the latest version and required updates,
visit the Windows Update Center.

To access the Security Zones, open Internet Explorer, choose Tools from the menu, select
Internet Options, and click the Security tab.

Security Zones
Internet Explorer provides 4 distinct security zones, each of which can be configured
independently to provide custom protection for safer and more pleasant Internet
browsing.

• Internet zone - The Internet zone is the default zone for all sites not listed in
other zones.
• Local Intranet - Typically for local files or those coming from local
networks.

69
 • Trusted Sites zone - Use the Trusted Sites zone for sites you visit frequently
which require the ability to download files, play Flash animations, or employ
active scripting.
• Restricted Sites zone - Use the Restricted Sites zone to suppress pop-up
advertising, minimize the use of cookies, or otherwise restrict the actions
allowed by listed sites.

9.2.3.Beware of Online Scams

The Internet makes it easier to accomplish many things - banking, research, travel, and
shopping are all at our virtual fingertips. And just as the Internet makes it easier for
legitimate pursuits, it also makes it easier for scammers, con artists, and other online
miscreants to carry out their virtual crimes - impacting our real life finances, security, and
peace of mind. These Internet scams are constantly evolving - here are the most common
today.

Phishing scams

Phishing email try to trick the intended victim into visiting a fraudulent website disguised
to look like a valid E-Commerce or banking site. The victim thinks they are logging into
their real account, but instead everything they enter on the fake site is being sent to the
scammers. Armed with this information, the scammer can wipe out the victim's accounts,
run up their credit cards, or even steal their identity.

9.2.4.Computer Safety Tips

Achieving good computer security can seem like a daunting task. Fortunately, following
the few simple steps outlined below can provide a good measure of security in very little
time.

Use antivirus software and keep it updated. You should check for new definition
updates daily. Most antivirus software can be configured to do this automatically.

Install security patches. Vulnerabilities in software are constantly being discovered and
they don't discriminate by vendor or platform. It's not simply a matter of updating
Windows; at least monthly, check for and apply updates for all software you use.

70
Use a firewall. No Internet connection is safe without one. Firewalls are necessary even
if you have a dial-up Internet connection - it takes only minutes for a non-firewalled
computer to be infected.

Secure your browser. Many labor under the dangerous misconception that only Internet
Explorer is a problem. It's not the browser you need to be concerned about. Nor is it a
matter of simply avoiding certain 'types' of sites. Known, legitimate websites are
frequently being compromised and implanted with malicious JavaScript that foists
malware onto visitors' computers. To ensure optimum browsing safety, the best tip is to
disable JavaScript for all but the most essential of sites - such as your banking or regular
ecommerce sites. Not only will you enjoy safer browsing, you'll be able to eliminate
unwanted pop-ups as well.

Take control of your email. Avoid opening email attachments received unexpectedly -
no matter who appears to have sent it. Remember that most worms and Trojan-laden
spam try to spoof the sender's name. And make sure your email client isn't leaving you
open to infection. Reading email in plain text offers important security benefits that more
than offset the loss of pretty colored fonts.

Treat IM suspiciously. Instant Messaging is a frequent target of worms and Trojans.

Treat it just as you would email.

Avoid P2P and distributed file sharing. Torrent, Kazaa, Gnutella, Morpheus and at least
a dozen other file sharing networks exist. Most are free. And all are rife with Trojans,
viruses, worms, adware, spyware, and every other form of malicious code imaginable.
There's no such thing as safe anonymous file sharing. Avoid it like the plague.

Keep abreast of Internet scams. Criminals think of clever ways to separate you from
your hard earned cash. Don't get fooled by emails telling sad stories, or making
unsolicited job offers, or promising lotto winnings. Likewise, beware of email
masquerading as a security concern from your bank or other E-Commerce site.

Don't fall victim to virus hoaxes. Dire sounding email spreading FUD about non-
existent threats serve only to spread needless alarm and may even cause you to delete
perfectly legitimate files in response.

Remember, there's far more good than bad on the Internet. The goal isn't to be paranoid.
The goal is to be cautious, aware, and even suspicious. By following the tips above and
becoming actively engaged in your own security, you'll not only be protecting yourself,
you'll be contributing to the protection and betterment of the Internet as a whole.

9.2.5.Protecting the HOSTS file

71
The HOSTS file is the virtual equivalent of the phone company's directory assistance.
Where directory assistance matches a person's name to a phone number, the HOSTS file
maps domain names to IP addresses. Entries in the HOSTS file override DNS entries
maintained by the ISP. By default 'localhost' (i.e. the local computer) is mapped to
127.0.0.1, known as the loopback address. Any other entries pointing to this 127.0.0.1
loopback address will result in a 'page not found' error. Conversely, entries can cause a
domain address to be redirected to a completely different site, by pointing to an IP
address that belongs to a different domain. For example, if an entry for google.com
pointed to an IP address belonging to yahoo.com, any attempt to access www.google.com
would result in a redirect to www.yahoo.com.

Malware authors are increasingly using the HOSTS file to block access to antivirus and
security websites. Adware may also impact the HOSTS file, redirecting access to gain
affiliate page view credit or to point to a booby-trapped website that downloads further
hostile code.

Fortunately, there are steps you can take to prevent unwanted modifications to the
HOSTS file. Spybot Search & Destroy includes several free utilities that will not only
block changes to the HOSTS file, but can protect the Registry from unauthorized
changes, enumerate startup items for quick analysis, and block known bad or alert on
unknown ActiveX controls.

9.2.6.Tips for IM safety

Instant Messenger worms are becoming increasingly more sophisticated - and more
prevalent. To avoid infection, treat IM as suspiciously as you should be treating email.
These tips will help you avoid infection:

Don't be click-happy
Don't click any link received in IM unless you've first confirmed that the sender intended
it. This includes links contained in 'away' messages - these 'away' messages are often
frequent targets of IM worms.

72
Beware IMs bearing attachments
Don't open any attachment received unexpectedly - verify that the sender intended it.
Make sure you enable file extension viewing so you're not fooled by the infamous
double-extension ruse. Before opening any attachment, scan it first using up-to-date
antivirus software. (The Kaspersky online scanner is superb for quickly checking single
files less than 1MB).

More is *not* merrier

Keep the number of IM clients to a minimum. IM worms target specific clients, though
multiple clients might be targeted. For example, the 2002 FloodNet IM worm sent its
infectious message to both AIM and MSN Instant Messenger users. Thus, the more IM
clients used or supported, the more likely you are to be victimized by an IM worm.

What to do if infection strikes

If you do get hit by an IM worm, remember that all of your contacts are now vulnerable.
To avoid sending the infection to others, disconnect from the Internet until you are able to
completely remove the infection. If you need Internet access to obtain antivirus software
or updates, ask a friend to use their computer and burn the files to CD. If this is not an
option, uninstall the IM client until after you've properly cleaned the infection. Of course,
always keeping your antivirus software up-to-date will avoid this last minute scramble for
protection.

9.2.7.Read E-Mail in Plain Text Only

Colored fonts, embedded images, and stylized text are just a few of the reasons that
HTML-rendered email has become popular with many folks. Sure, it makes email
attractive and - in some cases - easier to read. But there are drawbacks to the glitz and
glamour of HTML-rendered email. From a security standpoint, plain text email is better.
Reading email in plain text offers important security benefits that more than offset the
loss of pretty colored fonts.

73
Squash the bugs
HTML-rendered email can be virtually wiretapped through the use of invisible images,
specially formed links, and other techniques that allow email to be tracked. For example,
unique serial numbers are often assigned to invisible images stored on a remote server.
Each time the email is read, those images are accessed, providing a record of whether the
email was opened. Commercial companies peddle software to track email, providing a
means for the sender to know whether an email was read, when it was read, and even
follow its tracks if it is forwarded to others. Spammers use web bugs to determine
whether an email address is valid, or whether the recipient has a tendency to open spam -
setting those users up for even more unwanted email in the future.

Plain text email does not support embedded images. Plain text email squashes web bugs.

A not so helpful hand

Active content can be used in HTML-rendered email that causes email attachments to
open automatically, or files to be downloaded to the system. In order to bypass content
filters that prohibited EXE files in email, the Winevar virus contained active content in its
email that first modified the System Registry to specify .CEO files as executable, and
then automatically opened the attached - and infected - .CEO file it had smuggled past the
scanners.

Plain text email does not support active content. Plain text email prevents email
attachments from opening automatically.

A spammer’s delight
HTML-rendered email allows miscreant marketers and criminals to obfuscate the links,
making them appear to point to somewhere else other than the user expected. These
techniques are common in phishing scams, which often use scare tactics to entice a user
to click a link allegedly leading to their bank or a well-known E-Commerce site. Instead,
the link takes the user to a website controlled by the scammer. It may look and feel like
the website the user expected, but it's not. And behind the scenes, their login details and
personal financial information are quietly being recorded for the criminal's later use.

74
Plain text email provides a true WYSIWYG (What You See Is What You Get) experience.
In plain text email, there are no hidden commands - the link displayed is the actual link.

9.2.8.Patch All the Software You Use

The Bottom Line

Chances are, there are dozens of security vulnerabilities waiting to be exploited on your
system. And it's not just broken Windows you need to be concerned with. Adobe Flash,
Acrobat Reader, Apple QuickTime, Sun Java and a bevy of other third-party apps may
host security vulnerabilities waiting to be exploited. Secunia Software Inspector can
make the discovery process a bit easier by providing a free online scanner to alert you to
vulnerable software.

Pros

• Scans for wide range of software vulnerabilities

• Provides step-by-step instructions for applying patches
• Intuitive interface is easy to use
• Links to detailed information for research
• Simplifies the patching process

Cons

• None

Description

• Provides version numbers of detected software and the version number

needed, if applicable.
• Step-by-step instructions and links make getting patched a nearly pain-free
process
• Easy, fast, intuitive to use, and free.

75
Guide Review - Secunia Software Inspector

In a perfect world, we would never have to patch our systems. But it's not a perfect
world, and security vulnerabilities affect a wide range of products. Not all these third-
party add-ons provide automatic updates, and even those that do may not deliver the right
update for the problem. And changes to the Microsoft update site make securing
Windows a bit more difficult than it used to be.

Secunia Software Inspector provides a free online scan that provides a patch status for all
supported applications on your system. It's a pretty long list of supported apps as well,
including various versions of Adobe Reader, Flash, Firefox, QuickTime, AIM, iTunes,
MSN Messenger, Windows, Thunderbird, Opera, RealPlayer, Skype, WinAmp, Yahoo
Messenger, WinZip and ZoneAlarm.

Just click Start, let the scan run, and within moments Secunia Software Inspector
provides a complete report of all that's wrong - or even right - with your system. A green
checkmark beside a product name means that product is up-to-date. A red X means the
product needs updating. And Secunia makes it doubly easy to update - providing links to
the updates, step-by-step instructions, and details about the vulnerability.

Secunia Software Inspector is free, fast, and so intuitive to use there's simply no excuse
for not keeping patches up to date.

76
References:

http://www.virusportal.com/com/training/train_dat3.shtml

http://www.virusportal.com/com/training/train_dat2.shtml

http://www.virusportal.com/com/training/train_dat1.shtml

http://antivirus.about.com/od/securitytips/u/virusprevention.htm#s2

http://www.computerhope.com/vlist.htm

http://computer.howstuffworks.com/virus6.htm

http://www.virus-scan-software.com/virus-scan-help/answers/the-history-of-computer-
viruses.shtml

http://www.zbshareware.com/threats/types_threats.html

http://en.wikipedia.org/wiki/Antivirus_software

http://en.wikipedia.org/wiki/Computer_viruses#Operating_system_reinstallation

The Little Black Book of Computer Viruses [Book]

The Giant Black Book of Computer Viruses [Book]

The Art Of Computer Virus Research And Defense [Book]

An Introduction to Computer Viruses [Book]

Computer Viruses For Dummies [Book]

77