Service Injection Viruses

Malicious Code 
921
for years, they reached a head in July 2017 when the United States (U.S.) General Ser-
vices Administration, responsible for government-wide purchasing, removed Kaspersky 
from the list of vendors authorized to do business with the federal government. This was 
quickly followed by a flurry of announcements that agencies were purging Kaspersky 
software from their systems.
The reason for this sudden activity was unclear until three months later, in October 2017, 
when the 
Wall Street Journal
broke a report claiming that Kaspersky software created 
a back door in their security products that allowed Russian hackers to break into the 
computer of a National Security Agency contractor and steal highly classified information.
The vast majority of these packages utilize a method known as 
signature-based detection
to identify potential virus infections on a system. Essentially, an antivirus package main-
tains an extremely large database that contains the telltale characteristics of all known 
viruses. Depending on the antivirus package and configuration settings, it scans storage 
media periodically, checking for any files that contain data matching those criteria. If any 
are detected, the antivirus package takes one of the following actions:
■
If the software can eradicate the virus, it disinfects the affected files and restores the 
machine to a safe condition.
■
If the software recognizes the virus but doesn’t know how to disinfect the files, it may 
quarantine the files until the user or an administrator can examine them manually.
■
If security settings/policies do not provide for quarantine or the files exceed a pre-
defined danger threshold, the antivirus package may delete the infected files in an 
attempt to preserve system integrity.
When using a signature-based antivirus package, it’s essential to remember that the 
package is only as effective as the virus definition file upon which it’s based. If you don’t 
frequently update your virus definitions (usually requiring an annual subscription fee), 
your antivirus software will not be able to detect newly created viruses. With thousands of 
viruses appearing on the internet each day, an outdated definition file will quickly render 
your defenses ineffective.
Many antivirus packages also use heuristic-based mechanisms to detect potential mal-
ware infections. These methods analyze the behavior of software, looking for the telltale 
signs of virus activity, such as attempts to elevate privilege level, cover their electronic 
tracks, and alter unrelated or operating system files. This approach was not widely used in 
the past but has now become the mainstay of the advanced endpoint protection solutions 
used by many organizations. A common strategy is for systems to quarantine suspicious 
files and send them to a malware analysis tool where they are executed in an isolated but 
monitored environment. If the software behaves suspiciously in that environment, it is 
added to blacklists throughout the organization, rapidly updating antivirus signatures to 
meet new threats.
Modern antivirus software products are able to detect and remove a wide variety of 
types of malicious code and then clean the system. In other words, antivirus solutions are 

922
Chapter 21 
■
Malicious Code and Application Attacks
rarely limited to viruses. These tools are often able to provide protection against worms, 
Trojan horses, logic bombs, rootkits, spyware, and various other forms of email- or web-
borne code. In the event that you suspect new malicious code is sweeping the internet, your 
best course of action is to contact your antivirus software vendor to inquire about your 
state of protection against the new threat. Don’t wait until the next scheduled or automated 
signature dictionary update. Furthermore, never accept the word of any third party about 
protection status offered by an antivirus solution. Always contact the vendor directly. Most 
responsible antivirus vendors will send alerts to their customers as soon as new, substantial 
threats are identified, so be sure to register for such notifications as well.
Other security packages, such as the popular Tripwire data integrity assurance package, 
also provide a secondary antivirus functionality. Tripwire is designed to alert administra-
tors to unauthorized file modifications. It’s often used to detect web server defacements and 
similar attacks, but it also may provide some warning of virus infections if critical system 
executable files, such as 
command.com
, are modified unexpectedly. These systems work by 
maintaining a database of hash values for all files stored on the system (see Chapter 6, 
“Cryptography and Symmetric Key Algorithms,” for a full discussion of the hash functions 
used to create these values). These archived hash values are then compared to current com-
puted values to detect any files that were modified between the two periods. At the most 
basic level, a hash is a number used to summarize the contents of a file. As long as the file 
stays the same, the hash will stay the same. If the file is modified, even slightly, the hash 
will change dramatically, indicating that the file has been modified. Unless the action seems 
explainable, for instance if it happens after the installation of new software, application of 
an operating system patch, or similar change, sudden changes in executable files may be a 
sign of malware infection.

Download 19,3 Mb.

Do'stlaringiz bilan baham: