• allows those who know access bypassing usual security procedures • have been commonly used by developers • a threat when left in production programs allowing exploited by attackers • very hard to block in OS • requires good s/w development & update
is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. • A virus can only spread from one computer to another by: • Sending it over a network as a file or as an email payload. • Carrying it on a removable medium. • Viruses need USER INTERVENTION to spread … • Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. • Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages.
which a virus spreads, enabling it to replicate. The mechanism is also referred to as the infection vector. • Trigger: The event or condition that determines when the payload is activated or delivered. • Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity.
The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. • Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.
to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. • Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.
boot sector of floppy disks or the Master Boot Record (MBR) of hard disks (some infect the boot sector of the hard disk instead of the MBR). ▪ file infector virus that usually infects memory and executable files, Once they are in system they remain for a long time. ▪ macro virus virus that "infects" a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless. ▪ encrypted virus virus using encryption to hide itself from virus scanners. That is, the encrypted virus jumbles up its program code to make it difficult to detect. An encrypted virus's code begins with a decryption algorithm and continues with scrambled or encrypted code for the remainder of the virus.
mechanisms to avoid detection by antivirus software ▪ polymorphic virus virus which is able to modify itself and making clone of it ▪ metamorphic virus virus that can transform based on the ability to translate, edit and rewrite its own code. It is considered the most infectious computer virus, and it can do serious damage to a system if it isn't detected quickly.
the user, to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system. • Trojans may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed. • Trojans are not self-replicating which distinguishes them from viruses and worms.