2010年8月11日星期三
Hybrid computer virus worm
Hybrid worm computer virus is a malicious virus concentration of all the features of the virus code, usually change the executable code, resident memory but without user consent for virus spread within the network. According to Ed Skoudis, author of malicious software descriptions, and now there is another virus Fighting Malicious Code, this virus is more advanced than with infection with common viruses, file capability, but also to the way the worm within the network rapid spread.
How to clear to break through the active defense of the new Trojan
Patient: I use antivirus software with proactive defense capabilities, can block trojan, can I recently email account or stolen, why is this so?
Doctor: This is actually quite normal, after all, antivirus software is not a panacea, can stop all current malicious programs. Your e-mail is likely to be stolen by Trojans that can break through active defense, such as the latest ByShell Trojan. This is a new type of Trojan, the biggest feature is the ability to easily break through anti-virus software active defense capabilities.
Used to bypass the active defense SSDT
Patient: ByShell such as Trojans, which is beyond the active defense of it?
Doctors: The earliest date for hackers to change the system to an earlier date, so antivirus software will automatically turn off all monitoring functions, of course, also active defense capabilities automatically lose the prevention and control capabilities. There are already many Trojans do not need to adjust the system time to take the initiative to successfully break through the defense function.
Windows systems have a SSDT table, SSDT stands for System Services Descriptor Table, the Chinese name for the "system service descriptor table." This table is the application layer commands transmitted to the system kernel of a channel.
All anti-virus software by modifying the active defense capabilities are SSDT table, so a malicious program can not run under normal circumstances, this can easily be intercepted on malicious programs. If you install active defense capabilities, including antivirus software, you can use Bingren the SSDT function to view, you will find marked in red SSDT table information to be modified.
The ByShel Trojan on the current system of SSDT table search, followed by the use of the original search system SSDT table, then the coverage is now before the SSDT table. Trojans can then perform the normal order, so that eventually the failure of active defense capabilities and complete it.
Tip: Byshell penetration by the world's leading technology, using the latest kernel drivers technology breakthrough anti-virus software, Active Defense. Including Kaspersky, Rising, trends, Norton anti-virus software and other domestic common, and their associated version of the latest antivirus software, can be successfully carried out Byshell Trojan breakthrough.
Active defense class clever Trojan removal
Patient: I understand the principle of such horse, but still do not know how to remove?
Doctor: Clear method is not difficult, and clear the way similar to the other Trojans. Here we have to clear a typical example to explain the specific operation ByShell Trojan.
The first step: First run security tools WSysCheck, click on "Process Management" tab to see the process more than pink, indicating that these processes have been inserted into the Trojan thread. Click on one of the pink IE browser process, including discovery of a suspicious Trojan module hack.dll (Figure 1). Of course, hackers will sometimes set up other names, then we see if there is no "paper company" information on the need to increase their vigilance.
Step two: Then click on the program, "Service Management" tab, you can see the same system services more than red, indicating that these services are not self-service system. View found a hack through the service called more suspicious, because its name and the name of the module the same Trojan.
Similarly, if the hacker to customize the services of other names, in the "Status" column to see labeled as "unknown" services, we will pay attention to, and preferably 11 to troubleshoot.
Step Three: Click the program's "File Manager" tab, the management of resources in the simulation window, the path module in accordance with the guidelines of suspicious and soon found that suspicious Trojan module file hack.dll, at the same time also found a and the module file with the same name of the executable file (Figure 3). It seems that the Trojan is mainly formed by the two documents.
Step Four: Now we begin the cleanup Trojan. In the "process management" in the first pink IE browser to find the process, select it by right after the "end of the process" command removed it. Then click on "Service Management" tab, select the service named after the hack, right-click menu "Remove the selected service" command to delete.
Then the selection process "document management" tab, on the Trojan file final cleanup. In the system's system32 directory to find hack.dll and hack.exe file, right-click menu in the "direct delete" command to complete the final blow to the Trojans. Now restart the system again to see, sure to be cleaned Trojan in it.
Step Five: As the Trojans destroyed the anti-virus software in the SSDT table of contents, so we had better take the initiative to use the software that comes with repair to repair, or simply re-install anti-virus software once.
Summary
Planted before the previous Trojan, hackers of the most important job is to avoid killing their operation, so that you can escape the anti-virus software is signature detection. In addition to the basic hackers now free to kill, but also wondering how to break through active defense capabilities. However, Trojan has been active defense can break through the future will be more and more of these Trojans, so we must strengthen their safety awareness.
Doctor: This is actually quite normal, after all, antivirus software is not a panacea, can stop all current malicious programs. Your e-mail is likely to be stolen by Trojans that can break through active defense, such as the latest ByShell Trojan. This is a new type of Trojan, the biggest feature is the ability to easily break through anti-virus software active defense capabilities.
Used to bypass the active defense SSDT
Patient: ByShell such as Trojans, which is beyond the active defense of it?
Doctors: The earliest date for hackers to change the system to an earlier date, so antivirus software will automatically turn off all monitoring functions, of course, also active defense capabilities automatically lose the prevention and control capabilities. There are already many Trojans do not need to adjust the system time to take the initiative to successfully break through the defense function.
Windows systems have a SSDT table, SSDT stands for System Services Descriptor Table, the Chinese name for the "system service descriptor table." This table is the application layer commands transmitted to the system kernel of a channel.
All anti-virus software by modifying the active defense capabilities are SSDT table, so a malicious program can not run under normal circumstances, this can easily be intercepted on malicious programs. If you install active defense capabilities, including antivirus software, you can use Bingren the SSDT function to view, you will find marked in red SSDT table information to be modified.
The ByShel Trojan on the current system of SSDT table search, followed by the use of the original search system SSDT table, then the coverage is now before the SSDT table. Trojans can then perform the normal order, so that eventually the failure of active defense capabilities and complete it.
Tip: Byshell penetration by the world's leading technology, using the latest kernel drivers technology breakthrough anti-virus software, Active Defense. Including Kaspersky, Rising, trends, Norton anti-virus software and other domestic common, and their associated version of the latest antivirus software, can be successfully carried out Byshell Trojan breakthrough.
Active defense class clever Trojan removal
Patient: I understand the principle of such horse, but still do not know how to remove?
Doctor: Clear method is not difficult, and clear the way similar to the other Trojans. Here we have to clear a typical example to explain the specific operation ByShell Trojan.
The first step: First run security tools WSysCheck, click on "Process Management" tab to see the process more than pink, indicating that these processes have been inserted into the Trojan thread. Click on one of the pink IE browser process, including discovery of a suspicious Trojan module hack.dll (Figure 1). Of course, hackers will sometimes set up other names, then we see if there is no "paper company" information on the need to increase their vigilance.
Step two: Then click on the program, "Service Management" tab, you can see the same system services more than red, indicating that these services are not self-service system. View found a hack through the service called more suspicious, because its name and the name of the module the same Trojan.
Similarly, if the hacker to customize the services of other names, in the "Status" column to see labeled as "unknown" services, we will pay attention to, and preferably 11 to troubleshoot.
Step Three: Click the program's "File Manager" tab, the management of resources in the simulation window, the path module in accordance with the guidelines of suspicious and soon found that suspicious Trojan module file hack.dll, at the same time also found a and the module file with the same name of the executable file (Figure 3). It seems that the Trojan is mainly formed by the two documents.
Step Four: Now we begin the cleanup Trojan. In the "process management" in the first pink IE browser to find the process, select it by right after the "end of the process" command removed it. Then click on "Service Management" tab, select the service named after the hack, right-click menu "Remove the selected service" command to delete.
Then the selection process "document management" tab, on the Trojan file final cleanup. In the system's system32 directory to find hack.dll and hack.exe file, right-click menu in the "direct delete" command to complete the final blow to the Trojans. Now restart the system again to see, sure to be cleaned Trojan in it.
Step Five: As the Trojans destroyed the anti-virus software in the SSDT table of contents, so we had better take the initiative to use the software that comes with repair to repair, or simply re-install anti-virus software once.
Summary
Planted before the previous Trojan, hackers of the most important job is to avoid killing their operation, so that you can escape the anti-virus software is signature detection. In addition to the basic hackers now free to kill, but also wondering how to break through active defense capabilities. However, Trojan has been active defense can break through the future will be more and more of these Trojans, so we must strengthen their safety awareness.
Against the worm to fire with fire: make a nematode worm, malicious arrest
A high-profile security researchers believe companies can reduce the use of non-malicious worms network security costs, and begin to take action, working to launch a new framework to build the "controllable worm", in order to bring benefits for the enterprise.
New York State Immunization corporate loopholes researcher Dave Aitel held in the Malaysian capital Kuala Lumpur, Hack In The Box conference demonstrated a on "nematodes (Nematode)" Framework of class procedures, he stressed that the worm will become a good corporate security policy an important component.
In an interview with Ziff Davis Internet journalists interview, Aitel said: "We are trying to change the way people think, we do not want people to think this is impossible. Building beneficial to the use of worms and it is entirely possible, and will firms are implemented. "
Over the years, security experts have been looking on with a good worm and malicious worms, destruction of the concept of holding debate: Some people think that is a worm with a worm attack strategy and construct a good time for the worm to solve the problem, but some people do not think so, because the replication process-related motor disorder people feel confused.
Aitel is the former, he believes the worm antivirus technology can significantly reduce the cost and maintenance of networks, it is inevitable.
Aitel said: "We have already verified only need to use a very simple flaw, after a few steps, take a few minutes, you can make a working worm."
He took the "worm" is the name, because often with some sharp tail of the worm to control pests in crops. Aitel explained: "We can in any way we want to generate the worm, you can create a program of activities to strictly control the nematode worm."
Aitel to Stake member company of Office to do before decoding, in NSA (National Security Agency, National Security Agency) has done 6 years of computer scientists. He firmly believed that the worm could provide answers in order to reduce security costs.
He saw some ISP, government departments and some large companies use "strictly controlled" nematodes significantly reduced cost.
Hack In The Box in the General Assembly to do the report, Aitel lists the reasons for making the worm, and explains why good worms for the control of strict protocol.
He said that loopholes in the existing information can automatically make the worm, he even show off a new programming language specially crafted worms.
Aitel admit there are some potential problems, he noted that the worm is very difficult to write, and will take up a lot of network bandwidth. It is difficult to hit and control the worms, he said, IT administrators live in constant fear.
The concept put forward, including the "worm" of use, only to respond to attacks from the network and clear the NIL (Nematode Intermediate Language, nematodes intermediary language) of the server can be used as a simplified special "worm assembly."
NIL can be quickly and easily put into the worm holes. Aitel that, in some cases, you can write directly to the vulnerability to further simplify the virus in the NIL process.
Aitel claimed: "This will be your tool kit as part of the security team", he stressed that their company's work is a "proof of concept of class (research-level proof of concept)", can be useful to use the theory of the details of the worm of.
Aitel said: "If you look at the cost of maintaining the security of large networks, most of the CIO agreed to pay this strategy. With the concept of the worm, you can use automation to get more with less protection. This is the development of these new technologies the driving force behind. "
He added: "Technology is the next step until the worm a foot pad, we have two stages away. Our goal is to build automatically using automation technology self-protection network. We believe that this technology a reality as you can enjoy the product, only to spend up to 5 years. "
"We have a engine that can be exploited and put them into a worm, so that you can into the control mechanism. Enterprise will certainly be interested in this."
New York State Immunization corporate loopholes researcher Dave Aitel held in the Malaysian capital Kuala Lumpur, Hack In The Box conference demonstrated a on "nematodes (Nematode)" Framework of class procedures, he stressed that the worm will become a good corporate security policy an important component.
In an interview with Ziff Davis Internet journalists interview, Aitel said: "We are trying to change the way people think, we do not want people to think this is impossible. Building beneficial to the use of worms and it is entirely possible, and will firms are implemented. "
Over the years, security experts have been looking on with a good worm and malicious worms, destruction of the concept of holding debate: Some people think that is a worm with a worm attack strategy and construct a good time for the worm to solve the problem, but some people do not think so, because the replication process-related motor disorder people feel confused.
Aitel is the former, he believes the worm antivirus technology can significantly reduce the cost and maintenance of networks, it is inevitable.
Aitel said: "We have already verified only need to use a very simple flaw, after a few steps, take a few minutes, you can make a working worm."
He took the "worm" is the name, because often with some sharp tail of the worm to control pests in crops. Aitel explained: "We can in any way we want to generate the worm, you can create a program of activities to strictly control the nematode worm."
Aitel to Stake member company of Office to do before decoding, in NSA (National Security Agency, National Security Agency) has done 6 years of computer scientists. He firmly believed that the worm could provide answers in order to reduce security costs.
He saw some ISP, government departments and some large companies use "strictly controlled" nematodes significantly reduced cost.
Hack In The Box in the General Assembly to do the report, Aitel lists the reasons for making the worm, and explains why good worms for the control of strict protocol.
He said that loopholes in the existing information can automatically make the worm, he even show off a new programming language specially crafted worms.
Aitel admit there are some potential problems, he noted that the worm is very difficult to write, and will take up a lot of network bandwidth. It is difficult to hit and control the worms, he said, IT administrators live in constant fear.
The concept put forward, including the "worm" of use, only to respond to attacks from the network and clear the NIL (Nematode Intermediate Language, nematodes intermediary language) of the server can be used as a simplified special "worm assembly."
NIL can be quickly and easily put into the worm holes. Aitel that, in some cases, you can write directly to the vulnerability to further simplify the virus in the NIL process.
Aitel claimed: "This will be your tool kit as part of the security team", he stressed that their company's work is a "proof of concept of class (research-level proof of concept)", can be useful to use the theory of the details of the worm of.
Aitel said: "If you look at the cost of maintaining the security of large networks, most of the CIO agreed to pay this strategy. With the concept of the worm, you can use automation to get more with less protection. This is the development of these new technologies the driving force behind. "
He added: "Technology is the next step until the worm a foot pad, we have two stages away. Our goal is to build automatically using automation technology self-protection network. We believe that this technology a reality as you can enjoy the product, only to spend up to 5 years. "
"We have a engine that can be exploited and put them into a worm, so that you can into the control mechanism. Enterprise will certainly be interested in this."
Manually remove stubborn Trojans, worms Simple Guide
Situation is this: After the dial-up Internet access, FTP server Unicom failed repeatedly reported. After examination, the computer installed Norton Personal Firewall Norton anti-virus software, and has been disabled, try opening error, not normally enabled; open the Task Manager and found the illegal process of five, try to stop, reported "Access denied" ; reboot into Safe Mode and then try to stop the illegal process, error still can not stop; then a list of local services into the computer and found two unidentified auto-start services, try to stop, to "stop the service failure", desperation, to modify the Service property to "Disabled", reboot again to safe mode, unknown service finally does not start automatically. So according to the process name before the discovery of the illegal search system disk C drive, found in the Winnt directory and Winnt \ system32 \ directory, manually deleted. Then go to Winnt \ system32 \ directory, find a lot of unknown files, their common features are: file attribute to hidden, the file name like "diALoGUe" random name, the icon is similar to the DOS program icon, and search property without the company, version and other information; as I used for the first time detoxification settings】 【Folder Options to Show hidden files and show all protected system files in order to find the file in, so easy to find this batch file to run a large number of unknown, random attributes identified all income after the Recycle Bin. Then check the registry, delete the run type is unknown since the start key. Finally run the upgrade SP5, 10 minutes after I kick down all the patches, reboot to normal mode, win2000 display normal, start Norton virus, network firewalls successful dial-up FTP success.
Experiences and hear about projects from the above dye, got wind of their potential, come to such a virus infection and the possible attacks after: bugs are not timely because the system user to install patches, or use the super user account permissions visited a malicious Web site, run by unknown programs or files led to infection with a virus. After the permanent system of this virus to replicate itself and automatically connect on-line and then download a variety of horse meat chicken growing this new chickens, and wild chicken with weak passwords using the other network computer trying to login to infect more machines; after infection to other machines , to send all kinds of other crazy horse, worm infection for more virus infected machines, achievements more chicken. This is bound to take up a lot of network bandwidth, DDOS flood attacks and serves the same purpose, will force the network switching, routing equipment, overwhelmed and paralyzed. This most likely is the network slowing down, but the reboot switch or router speeds can be improved after the root causes. And because the virus take up too much process, leading to system resources to operate, poisoning operation will significantly slowing down the machine.
The danger of such viruses is:
1, with high-bandwidth internal network, infects a large network of other vulnerable computers, often one of a large virus.
2, take up a lot of network bandwidth, slowing down to speeds.
3, there are some intelligent, very many variants, anti-virus software is always later than the virus appears to follow effective principles of time, may be subject to the new variant of the virus.
4, with similar DDOS tools, read the other network computer SAM account concurrent use of weak passwords forced landing attempt other computers, leading to the other computer is not infected account login times over the limit, the account is locked, affecting normal use.
Antivirus manual steps summarized as follows:
1, manually download and collection of all SP5 single small file (on win2k, the total of nearly 100M)
2, disconnected from the network
3, reboot into Safe Mode
4, check and clean 【HLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items
5, check and clean 【HCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items
6, Charles unidentified services and prohibit the, if not, proceed to step 7; if any, against it, and return to step 3.
7, focusing on search 【% SystemRoot% \ system32 \】 directory of all hidden exe, com, check its properties, were deleted from unknown sources without amnesty (can first put the recycle bin, reboot and then nothing clear).
8, after updating the latest virus database might use the antivirus software scans all the files once the system tray.
9, confirm that SP4 has been installed on the basis of all the SP5 patch to play the whole
10, reboot into normal mode to use
Note: Due to determine whether the illegal program requires some experience, especially to provide a simple way: click on a suspicious program access】 【Zhu Xing, the normal version of the program are】 【column comes with company name, version, copyright and other information, even 3721, sepsis and other trash with the appropriate information, and worms, Trojans and other programs will most likely not have any information available for inspection, reference, most of the illegal procedure can be judged accordingly.
Maintain the "no drug" and a few tips:
1, isolated local area network using Proxy or NAT with the external network of seamless interchange
2, all machines in the LAN to prevent super-user password is blank, the same username and password, password, super simple acts such as mentally handicapped.
3, the permissions assigned enough】 【strictly follow the principle of super-users as possible to prevent unnecessary production.
4, using the Enterprise Edition antivirus software antivirus central server, set the automatic check in time so that, download the updated virus database and automatically distributed to the client the latest virus database.
5, with SUS and other similar services, software, windows automatically download patches, set up so that it can automatically distributed to all clients and install the latest patches.
6, in time to remind my colleagues attention to Internet safety, not unnecessary site, does not perform any unknown file, pay attention to Internet health.
7, free multi-check the Task Manager is an unknown process, multi-center landing windows automatic update check for the latest patch update.
Experiences and hear about projects from the above dye, got wind of their potential, come to such a virus infection and the possible attacks after: bugs are not timely because the system user to install patches, or use the super user account permissions visited a malicious Web site, run by unknown programs or files led to infection with a virus. After the permanent system of this virus to replicate itself and automatically connect on-line and then download a variety of horse meat chicken growing this new chickens, and wild chicken with weak passwords using the other network computer trying to login to infect more machines; after infection to other machines , to send all kinds of other crazy horse, worm infection for more virus infected machines, achievements more chicken. This is bound to take up a lot of network bandwidth, DDOS flood attacks and serves the same purpose, will force the network switching, routing equipment, overwhelmed and paralyzed. This most likely is the network slowing down, but the reboot switch or router speeds can be improved after the root causes. And because the virus take up too much process, leading to system resources to operate, poisoning operation will significantly slowing down the machine.
The danger of such viruses is:
1, with high-bandwidth internal network, infects a large network of other vulnerable computers, often one of a large virus.
2, take up a lot of network bandwidth, slowing down to speeds.
3, there are some intelligent, very many variants, anti-virus software is always later than the virus appears to follow effective principles of time, may be subject to the new variant of the virus.
4, with similar DDOS tools, read the other network computer SAM account concurrent use of weak passwords forced landing attempt other computers, leading to the other computer is not infected account login times over the limit, the account is locked, affecting normal use.
Antivirus manual steps summarized as follows:
1, manually download and collection of all SP5 single small file (on win2k, the total of nearly 100M)
2, disconnected from the network
3, reboot into Safe Mode
4, check and clean 【HLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items
5, check and clean 【HCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items
6, Charles unidentified services and prohibit the, if not, proceed to step 7; if any, against it, and return to step 3.
7, focusing on search 【% SystemRoot% \ system32 \】 directory of all hidden exe, com, check its properties, were deleted from unknown sources without amnesty (can first put the recycle bin, reboot and then nothing clear).
8, after updating the latest virus database might use the antivirus software scans all the files once the system tray.
9, confirm that SP4 has been installed on the basis of all the SP5 patch to play the whole
10, reboot into normal mode to use
Note: Due to determine whether the illegal program requires some experience, especially to provide a simple way: click on a suspicious program access】 【Zhu Xing, the normal version of the program are】 【column comes with company name, version, copyright and other information, even 3721, sepsis and other trash with the appropriate information, and worms, Trojans and other programs will most likely not have any information available for inspection, reference, most of the illegal procedure can be judged accordingly.
Maintain the "no drug" and a few tips:
1, isolated local area network using Proxy or NAT with the external network of seamless interchange
2, all machines in the LAN to prevent super-user password is blank, the same username and password, password, super simple acts such as mentally handicapped.
3, the permissions assigned enough】 【strictly follow the principle of super-users as possible to prevent unnecessary production.
4, using the Enterprise Edition antivirus software antivirus central server, set the automatic check in time so that, download the updated virus database and automatically distributed to the client the latest virus database.
5, with SUS and other similar services, software, windows automatically download patches, set up so that it can automatically distributed to all clients and install the latest patches.
6, in time to remind my colleagues attention to Internet safety, not unnecessary site, does not perform any unknown file, pay attention to Internet health.
7, free multi-check the Task Manager is an unknown process, multi-center landing windows automatic update check for the latest patch update.
Analysis from the user perspective and to prevent "worm" virus
Based worm attack mechanism, will be divided into use of system-level vulnerabilities (active dissemination) and the use of social engineering (deception spread) of two, and from the user point of view will worm into corporate networks and individual users for Class 2, business users and individual users from both the characteristics of worms and some preventive measures!
1. Worm virus definition
Virus from the date appears on a computer a great threat, and when the rapid development of the network, when the harm caused by the worm began to appear! From the broad definition of who can cause a computer malfunction, computer data destruction procedures collectively referred to as computer viruses. So from this sense, the worm is a virus! But worms and viruses in general have a big difference. For the worm, and now there is not a complete theoretical system, is generally believed that the worm is a vicious virus spread through the network, it has some common viruses, such as communication, invisible, destructive, etc., but also has some of their own features, such as not using file parasitic (some exist only in memory) for network denial of service, as well as technology integration and hackers, etc.! in the production of the destructive, the worm is not an ordinary virus can be compared, With the development of network worms can spread in a short time the entire network, causing network paralysis!
Case the user can be divided into two categories worm, one is for corporate users, and LAN, this virus to exploit system vulnerabilities, to initiate attacks, can cause paralysis of the entire Internet could be the consequences. Another is the personal users, through the network (mainly e-mail, malicious web page form) worm spread rapidly in these two types, the first great active attacks, but also has some of the sudden outbreak of , but relatively speaking, killing the virus is not very difficult. The second mode of transmission of the virus more complex and diverse, a few applications using the Microsoft vulnerability, more is to use social engineering to deceive and induce the user, so that the virus caused the loss is very large, while is very difficult to eradicate!
2. Worm virus, the similarities and differences with the general
Worm is a virus, so has the common features of the virus. General parasitic virus is needed, it can implement its own orders, to write their own instruction code in the body of another program, but the infected file is called a "host", for example, windows executable file under pe format format (Portable Executable), when the need infected pe file, the host program, create a new section, the virus code is written to the new section, modify the program entry point, etc., so that the host program execution time can be the first implementation of the virus program, virus program to run after this control to the host in the original program instructions. Shows that the virus is mainly infected files, of course, there are links as DIRII this virus, as well as boot sector viruses. He is infected with boot sector virus boot disk, if the floppy disk is infected, this floppy disk used in other machines, the same will infect other machines, the mode of transmission is using floppy disks, etc..
Worms generally do not take advantage of pe format insertion of documents, but copies itself to spread in the Internet environment, the mode of transmission capacity is mainly directed against the computer file system within the terms of the spread of the worm targets all computers within the Internet . LAN under shared folders, email email, network, malicious Web page, a large number of loopholes in the server and so there is a good way to spread the worm. Development of the network makes the worm can spread worldwide within a few hours! And active worm attacks and sudden outbreak of hand, foot and no policy will make it!
It is foreseeable that the future will bring great disaster to the network must be the main network worm!
3. Individual preventive measures on the worm
Through the above analysis, we can know that is not very horrible virus, network worm attacks on individual users primarily through social engineering, rather than the use of system vulnerabilities! So against such viruses need to note the following:
(1) purchase the appropriate anti-virus software! Anti-virus software must be to the memory real-time monitoring and real-time monitoring the development of e-mail! Other pages facing very hard to detect viruses, anti-virus software also allows users demand higher and higher! Current domestic anti-virus software also has a very high level. Like Rising, antivirus software, antivirus software, while integrating the fire-proof, worm and Trojan horse programs and thus have great restraint effect.
(2) frequently update the virus library, anti-virus software is killing the virus based on virus signatures, while the viruses emerging every day, especially in the Internet age, the spread of the worm speed, multi-variant, it is necessary to update virus database, so that the latest killing viruses!
(3) increase awareness of anti-virus. Do not to click on strange sites may contain malicious code on the inside!
When running IE, click on "Tools → Internet Options → Security → Internet zone security level", the security level from "China" to "high." Mainly because this type of page that contains malicious code ActiveX or Applet, JavaScript web page file, so IE settings, ActiveX plug-ins and controls, Java scripts, and all prohibited by the web can be substantially reduced risk of malicious code infection. Specific programs are: IE window, click "Tools" → "Internet Options" dialog box that pops up, select "Security" tab, then click the "Custom Level" button, will pop up "Security Settings" dialog box, to which all ActiveX controls and plug-ins and Java related with all the options select "Disable." However, this website in the future course of normal application may cause some ActiveX can not browse the website.
(4) does not free to see strange messages, especially messages with attachments, e-mail because some viruses can use ie and outlook of the vulnerabilities automatically, so computer users need to upgrade ie and outlook procedures, and other commonly used applications!
Network worms under development as a high-speed Internet, a new type of virus, will have an enormous danger on the Internet. In the defense, was no longer is a separate anti-virus vendors to address and need to network security companies, system vendors, antivirus vendors and user participation, and build comprehensive prevention system!
The combination of worms and hacker techniques make the analysis of the worm, detection and prevention with some difficulty, while a network worm propagation, network traffic characteristics of a mathematical model is to be the work!
1. Worm virus definition
Virus from the date appears on a computer a great threat, and when the rapid development of the network, when the harm caused by the worm began to appear! From the broad definition of who can cause a computer malfunction, computer data destruction procedures collectively referred to as computer viruses. So from this sense, the worm is a virus! But worms and viruses in general have a big difference. For the worm, and now there is not a complete theoretical system, is generally believed that the worm is a vicious virus spread through the network, it has some common viruses, such as communication, invisible, destructive, etc., but also has some of their own features, such as not using file parasitic (some exist only in memory) for network denial of service, as well as technology integration and hackers, etc.! in the production of the destructive, the worm is not an ordinary virus can be compared, With the development of network worms can spread in a short time the entire network, causing network paralysis!
Case the user can be divided into two categories worm, one is for corporate users, and LAN, this virus to exploit system vulnerabilities, to initiate attacks, can cause paralysis of the entire Internet could be the consequences. Another is the personal users, through the network (mainly e-mail, malicious web page form) worm spread rapidly in these two types, the first great active attacks, but also has some of the sudden outbreak of , but relatively speaking, killing the virus is not very difficult. The second mode of transmission of the virus more complex and diverse, a few applications using the Microsoft vulnerability, more is to use social engineering to deceive and induce the user, so that the virus caused the loss is very large, while is very difficult to eradicate!
2. Worm virus, the similarities and differences with the general
Worm is a virus, so has the common features of the virus. General parasitic virus is needed, it can implement its own orders, to write their own instruction code in the body of another program, but the infected file is called a "host", for example, windows executable file under pe format format (Portable Executable), when the need infected pe file, the host program, create a new section, the virus code is written to the new section, modify the program entry point, etc., so that the host program execution time can be the first implementation of the virus program, virus program to run after this control to the host in the original program instructions. Shows that the virus is mainly infected files, of course, there are links as DIRII this virus, as well as boot sector viruses. He is infected with boot sector virus boot disk, if the floppy disk is infected, this floppy disk used in other machines, the same will infect other machines, the mode of transmission is using floppy disks, etc..
Worms generally do not take advantage of pe format insertion of documents, but copies itself to spread in the Internet environment, the mode of transmission capacity is mainly directed against the computer file system within the terms of the spread of the worm targets all computers within the Internet . LAN under shared folders, email email, network, malicious Web page, a large number of loopholes in the server and so there is a good way to spread the worm. Development of the network makes the worm can spread worldwide within a few hours! And active worm attacks and sudden outbreak of hand, foot and no policy will make it!
It is foreseeable that the future will bring great disaster to the network must be the main network worm!
3. Individual preventive measures on the worm
Through the above analysis, we can know that is not very horrible virus, network worm attacks on individual users primarily through social engineering, rather than the use of system vulnerabilities! So against such viruses need to note the following:
(1) purchase the appropriate anti-virus software! Anti-virus software must be to the memory real-time monitoring and real-time monitoring the development of e-mail! Other pages facing very hard to detect viruses, anti-virus software also allows users demand higher and higher! Current domestic anti-virus software also has a very high level. Like Rising, antivirus software, antivirus software, while integrating the fire-proof, worm and Trojan horse programs and thus have great restraint effect.
(2) frequently update the virus library, anti-virus software is killing the virus based on virus signatures, while the viruses emerging every day, especially in the Internet age, the spread of the worm speed, multi-variant, it is necessary to update virus database, so that the latest killing viruses!
(3) increase awareness of anti-virus. Do not to click on strange sites may contain malicious code on the inside!
When running IE, click on "Tools → Internet Options → Security → Internet zone security level", the security level from "China" to "high." Mainly because this type of page that contains malicious code ActiveX or Applet, JavaScript web page file, so IE settings, ActiveX plug-ins and controls, Java scripts, and all prohibited by the web can be substantially reduced risk of malicious code infection. Specific programs are: IE window, click "Tools" → "Internet Options" dialog box that pops up, select "Security" tab, then click the "Custom Level" button, will pop up "Security Settings" dialog box, to which all ActiveX controls and plug-ins and Java related with all the options select "Disable." However, this website in the future course of normal application may cause some ActiveX can not browse the website.
(4) does not free to see strange messages, especially messages with attachments, e-mail because some viruses can use ie and outlook of the vulnerabilities automatically, so computer users need to upgrade ie and outlook procedures, and other commonly used applications!
Network worms under development as a high-speed Internet, a new type of virus, will have an enormous danger on the Internet. In the defense, was no longer is a separate anti-virus vendors to address and need to network security companies, system vendors, antivirus vendors and user participation, and build comprehensive prevention system!
The combination of worms and hacker techniques make the analysis of the worm, detection and prevention with some difficulty, while a network worm propagation, network traffic characteristics of a mathematical model is to be the work!
订阅:
博文 (Atom)