1. Virus - WormsVirusFrom Wikipedia, the free encyclopediaNot to be confused with Malware.A computer virus is a computer program that can copy itself and infect acomputer. The term "virus" is also commonly but erroneously used to refer toother types of malware, including but not limited to adware and spywareprograms that do not have the reproductive ability. A true virus can spread fromone computer to another (in some form of executable code) when its host istaken to the target computer; for instance because a user sent it over a networkor the Internet, or carried it on a removable medium such as a floppy disk, CD,DVD, or USB drive.Viruses can increase their chances of spreading to other computers by infectingfiles on a network file system or a file system that is accessed by anothercomputer.As stated above, the term "computer virus" is sometimes used as a catch-allphrase to include all types of malware, even those that do not have thereproductive ability. Malware includes computer viruses, computer worms, Trojanhorses, most rootkits, spyware, dishonest adware and other malicious andunwanted software, including true viruses. Viruses are sometimes confused withworms and Trojan horses, which are technically different. A worm can exploitsecurity vulnerabilities to spread itself automatically to other computers throughnetworks, while a Trojan horse is a program that appears harmless but hidesmalicious functions. Worms and Trojan horses, like viruses, may harm acomputer systems data or performance. Some viruses and other malware havesymptoms noticeable to the computer user, but many are surreptitious or simplydo nothing to call attention to themselves. Some viruses do nothing beyondreproducing themselves.Contents [hide]1 History1.1 Academic work1.2 Science Fiction1.3 Virus programs2 Infection strategies2.1 Nonresident viruses2.2 Resident viruses3 Vectors and hosts4 Methods to avoid detection
2. 4.1 Avoiding bait files and other undesirable hosts4.2 Stealth4.2.1 Self-modification4.2.2 Encryption with a variable key4.2.3 Polymorphic code4.2.4 Metamorphic code5 Vulnerability and countermeasures5.1 The vulnerability of operating systems to viruses5.2 The role of software development5.3 Anti-virus software and other preventive measures5.4 Recovery methods5.4.1 Virus removal5.4.2 Operating system reinstallation6 See also7 References8 Further reading9 External linksHistoryAcademic workThe first academic work on the theory of computer viruses (although the term"computer virus" was not invented at that time) was done by John von Neumannin 1949 who held lectures at the University of Illinois about the "Theory andOrganization of Complicated Automata". The work of von Neumann was laterpublished as the "Theory of self-reproducing automata". In his essay vonNeumann postulated that a computer program could reproduce.In 1972 Veith Risak published his article "Selbstreproduzierende Automaten mitminimaler Informationsübertragung" (Self-reproducing automata with minimalinformation exchange). The article describes a fully functional virus written inassembler language for a SIEMENS 4004/35 computer system.In 1980 Jürgen Kraus wrote his diplom thesis "Selbstreproduktion beiProgrammen" (Self-reproduction of programs) at the University of Dortmund.In his work Kraus postulated that computer programs can behave in a waysimilar to biological viruses.In 1984 Fred Cohen from the University of Southern California wrote his paper"Computer Viruses - Theory and Experiments". It was the first paper toexplicitly call a self-reproducing program a "virus"; a term introduced by hismentor Leonard Adleman.An article that describes "useful virus functionalities" was published by J. B.Gunn under the title "Use of virus functions to provide a virtual APL interpreterunder user control" in 1984.Science FictionThe Terminal Man, a science fiction novel by Michael Crichton (1972), told (as asideline story) of a computer with telephone modem dialing capability, which hadbeen programmed to randomly dial phone numbers until it hit a modem that isanswered by another computer. It then attempted to program the answering
3. computer with its own program, so that the second computer would also begindialing random numbers, in search of yet another computer to program. Theprogram is assumed to spread exponentially through susceptible computers.The actual term virus was first used in David Gerrolds 1972 novel, WhenHARLIE Was One. In that novel, a sentient computer named HARLIE writes viralsoftware to retrieve damaging personal information from other computers toblackmail the man who wants to turn him off.Virus programsThe Creeper virus was first detected on ARPANET, the forerunner of theInternet, in the early 1970s. Creeper was an experimental self-replicatingprogram written by Bob Thomas at BBN Technologies in 1971. Creeper usedthe ARPANET to infect DEC PDP-10 computers running the TENEX operatingsystem. Creeper gained access via the ARPANET and copied itself to theremote system where the message, "Im the creeper, catch me if you can!" wasdisplayed. The Reaper program was created to delete Creeper.A program called "Elk Cloner" was the first computer virus to appear "in the wild"— that is, outside the single computer or lab where it was created. Written in1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operatingsystem and spread via floppy disk. This virus, created as a practical jokewhen Skrenta was still in high school, was injected in a game on a floppy disk.On its 50th use the Elk Cloner virus would be activated, infecting the computerand displaying a short poem beginning "Elk Cloner: The program with apersonality."The first PC virus in the wild was a boot sector virus dubbed (c)Brain, createdin 1986 by the Farooq Alvi Brothers in Lahore, Pakistan, reportedly to deterpiracy of the software they had written.Before computer networks became widespread, most viruses spread onremovable media, particularly floppy disks. In the early days of the personalcomputer, many users regularly exchanged information and programs onfloppies. Some viruses spread by infecting programs stored on these disks, whileothers installed themselves into the disk boot sector, ensuring that they would berun when the user booted the computer from the disk, usually inadvertently. PCsof the era would attempt to boot first from a floppy if one had been left in thedrive. Until floppy disks fell out of use, this was the most successful infectionstrategy and boot sector viruses were the most common in the wild for manyyears.Traditional computer viruses emerged in the 1980s, driven by the spread ofpersonal computers and the resultant increase in BBS, modem use, and softwaresharing. Bulletin board-driven software sharing contributed directly to the spreadof Trojan horse programs, and viruses were written to infect popularly tradedsoftware. Shareware and bootleg software were equally common vectors forviruses on BBSs.Macro viruses have become common since the mid-1990s. Most of these virusesare written in the scripting languages for Microsoft programs such as Word andExcel and spread throughout Microsoft Office by infecting documents andspreadsheets. Since Word and Excel were also available for Mac OS, most could
4. also spread to Macintosh computers. Although most of these viruses did nothave the ability to send infected email messages, those viruses which did takeadvantage of the Microsoft Outlook COM interface.Some old versions of Microsoft Word allow macros to replicate themselves withadditional blank lines. If two macro viruses simultaneously infect a document, thecombination of the two, if also self-replicating, can appear as a "mating" of thetwo and would likely be detected as a virus unique from the "parents".A virus may also send a web address link as an instant message to all thecontacts on an infected machine. If the recipient, thinking the link is from a friend(a trusted source) follows the link to the website, the virus hosted at the site maybe able to infect this new computer and continue propagating.Viruses that spread using cross-site scripting were first reported in 2002, andwere academically demonstrated in 2005. There have been multipleinstances of the cross-site scripting viruses in the wild, exploiting websites suchas MySpace and Yahoo.Infection strategiesIn order to replicate itself, a virus must be permitted to execute code and write tomemory. For this reason, many viruses attach themselves to executable files thatmay be part of legitimate programs. If a user attempts to launch an infectedprogram, the virus code may be executed simultaneously. Viruses can bedivided into two types based on their behavior when they are executed.Nonresident viruses immediately search for other hosts that can be infected,infect those targets, and finally transfer control to the application program theyinfected. Resident viruses do not search for hosts when they are started. Instead,a resident virus loads itself into memory on execution and transfers control to thehost program. The virus stays active in the background and infects new hostswhen those files are accessed by other programs or the operating system itself.Nonresident virusesNonresident viruses can be thought of as consisting of a finder module and areplication module. The finder module is responsible for finding new files toinfect. For each new executable file the finder module encounters, it calls thereplication module to infect that file.Resident virusesResident viruses contain a replication module that is similar to the one that isemployed by nonresident viruses. This module, however, is not called by a findermodule. The virus loads the replication module into memory when it is executedinstead and ensures that this module is executed each time the operating systemis called to perform a certain operation. The replication module can be called, forexample, each time the operating system executes a file. In this case the virusinfects every suitable program that is executed on the computer.Resident viruses are sometimes subdivided into a category of fast infectors and acategory of slow infectors. Fast infectors are designed to infect as many files aspossible. A fast infector, for instance, can infect every potential host file that isaccessed. This poses a special problem when using anti-virus software, since avirus scanner will access every potential host file on a computer when it performs
5. a system-wide scan. If the virus scanner fails to notice that such a virus ispresent in memory the virus can "piggy-back" on the virus scanner and in thisway infect all files that are scanned. Fast infectors rely on their fast infection rateto spread. The disadvantage of this method is that infecting many files may makedetection more likely, because the virus may slow down a computer or performmany suspicious actions that can be noticed by anti-virus software. Slowinfectors, on the other hand, are designed to infect hosts infrequently. Some slowinfectors, for instance, only infect files when they are copied. Slow infectors aredesigned to avoid detection by limiting their actions: they are less likely to slowdown a computer noticeably and will, at most, infrequently trigger anti-virussoftware that detects suspicious behavior by programs. The slow infectorapproach, however, does not seem very successful.Vectors and hostsViruses have targeted various types of transmission media or hosts. This list isnot exhaustive:Binary executable files (such as COM files and EXE files in MS-DOS, PortableExecutable files in Microsoft Windows, the Mach-O format in OSX, and ELF filesin Linux)Volume Boot Records of floppy disks and hard disk partitionsThe master boot record (MBR) of a hard diskGeneral-purpose script files (such as batch files in MS-DOS and MicrosoftWindows, VBScript files, and shell script files on Unix-like platforms).Application-specific script files (such as Telix-scripts)System specific autorun script files (such as Autorun.inf file needed by Windowsto automatically run software stored on USB Memory Storage Devices).Documents that can contain macros (such as Microsoft Word documents,Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Accessdatabase files)Cross-site scripting vulnerabilities in web applications (see XSS Worm)Arbitrary computer files. An exploitable buffer overflow, format string, racecondition or other exploitable bug in a program which reads the file could be usedto trigger the execution of code hidden within it. Most bugs of this type can bemade more difficult to exploit in computer architectures with protection featuressuch as an execute disable bit and/or address space layout randomization.PDFs, like HTML, may link to malicious code. PDFs can also be infected withmalicious code.In operating systems that use file extensions to determine program associations(such as Microsoft Windows), the extensions may be hidden from the user bydefault. This makes it possible to create a file that is of a different type than itappears to the user. For example, an executable may be created named"picture.png.exe", in which the user sees only "picture.png" and thereforeassumes that this file is an image and most likely is safe, yet when opened runsthe executable on the client machine.An additional method is to generate the virus code from parts of existingoperating system files by using the CRC16/CRC32 data. The initial code can be
6. quite small (tens of bytes) and unpack a fairly large virus. This is analogous to abiological "prion" in the way it works but is vulnerable to signature baseddetection. This attack has not yet been seen "in the wild".Methods to avoid detectionIn order to avoid detection by users, some viruses employ different kinds ofdeception. Some old viruses, especially on the MS-DOS platform, make sure thatthe "last modified" date of a host file stays the same when the file is infected bythe virus. This approach does not fool anti-virus software, however, especiallythose which maintain and date Cyclic redundancy checks on file changes.Some viruses can infect files without increasing their sizes or damaging the files.They accomplish this by overwriting unused areas of executable files. These arecalled cavity viruses. For example, the CIH virus, or Chernobyl Virus, infectsPortable Executable files. Because those files have many empty gaps, the virus,which was 1 KB in length, did not add to the size of the file.Some viruses try to avoid detection by killing the tasks associated with antivirussoftware before it can detect them.As computers and operating systems grow larger and more complex, old hidingtechniques need to be updated or replaced. Defending a computer againstviruses may demand that a file system migrate towards detailed and explicitpermission for every kind of file access.Avoiding bait files and other undesirable hostsA virus needs to infect hosts in order to spread further. In some cases, it might bea bad idea to infect a host program. For example, many anti-virus programsperform an integrity check of their own code. Infecting such programs willtherefore increase the likelihood that the virus is detected. For this reason, someviruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid are bait files.Bait files (or goat files) are files that are specially created by anti-virus software,or by anti-virus professionals themselves, to be infected by a virus. These filescan be created for various reasons, all of which are related to the detection of thevirus:Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copyof a program file that is infected by the virus). It is more practical to store andexchange a small, infected bait file, than to exchange a large application programthat has been infected by the virus.Anti-virus professionals can use bait files to study the behavior of a virus andevaluate detection methods. This is especially useful when the virus ispolymorphic. In this case, the virus can be made to infect a large number of baitfiles. The infected files can be used to test whether a virus scanner detects allversions of the virus.Some anti-virus software employs bait files that are accessed regularly. Whenthese files are modified, the anti-virus software warns the user that a virus isprobably active on the system.Since bait files are used to detect the virus, or to make detection possible, a viruscan benefit from not infecting them. Viruses typically do this by avoiding
7. suspicious programs, such as small program files or programs that containcertain patterns of garbage instructions.A related strategy to make baiting difficult is sparse infection. Sometimes, sparseinfectors do not infect a host file that would be a suitable candidate for infection inother circumstances. For example, a virus can decide on a random basiswhether to infect a file or not, or a virus can only infect host files on particulardays of the week.StealthSome viruses try to trick antivirus software by intercepting its requests to theoperating system. A virus can hide itself by intercepting the antivirus software’srequest to read the file and passing the request to the virus, instead of the OS.The virus can then return an uninfected version of the file to the antivirussoftware, so that it seems that the file is "clean". Modern antivirus softwareemploys various techniques to counter stealth mechanisms of viruses. The onlycompletely reliable method to avoid stealth is to boot from a medium that isknown to be clean.Self-modificationMost modern antivirus programs try to find virus-patterns inside ordinaryprograms by scanning them for so-called virus signatures. A signature is acharacteristic byte-pattern that is part of a certain virus or family of viruses. If avirus scanner finds such a pattern in a file, it notifies the user that the file isinfected. The user can then delete, or (in some cases) "clean" or "heal" theinfected file. Some viruses employ techniques that make detection by means ofsignatures difficult but probably not impossible. These viruses modify their codeon each infection. That is, each infected file contains a different variant of thevirus.Encryption with a variable keyA more advanced method is the use of simple encryption to encipher the virus. Inthis case, the virus consists of a small decrypting module and an encrypted copyof the virus code. If the virus is encrypted with a different key for each infectedfile, the only part of the virus that remains constant is the decrypting module,which would (for example) be appended to the end. In this case, a virus scannercannot directly detect the virus using signatures, but it can still detect thedecrypting module, which still makes indirect detection of the virus possible.Since these would be symmetric keys, stored on the infected host, it is in factentirely possible to decrypt the final virus, but this is probably not required, sinceself-modifying code is such a rarity that it may be reason for virus scanners to atleast flag the file as suspicious.An old, but compact, encryption involves XORing each byte in a virus with aconstant, so that the exclusive-or operation had only to be repeated fordecryption. It is suspicious for a code to modify itself, so the code to do theencryption/decryption may be part of the signature in many virus definitions.Polymorphic codePolymorphic code was the first technique that posed a serious threat to virusscanners. Just like regular encrypted viruses, a polymorphic virus infects fileswith an encrypted copy of itself, which is decoded by a decryption module. In the
8. case of polymorphic viruses, however, this decryption module is also modified oneach infection. A well-written polymorphic virus therefore has no parts whichremain identical between infections, making it very difficult to detect directly usingsignatures. Antivirus software can detect it by decrypting the viruses using anemulator, or by statistical pattern analysis of the encrypted virus body. To enablepolymorphic code, the virus has to have a polymorphic engine (also calledmutating engine or mutation engine) somewhere in its encrypted body. SeePolymorphic code for technical detail on how such engines operate.Some viruses employ polymorphic code in a way that constrains the mutationrate of the virus significantly. For example, a virus can be programmed to mutateonly slightly over time, or it can be programmed to refrain from mutating when itinfects a file on a computer that already contains copies of the virus. Theadvantage of using such slow polymorphic code is that it makes it more difficultfor antivirus professionals to obtain representative samples of the virus, becausebait files that are infected in one run will typically contain identical or similarsamples of the virus. This will make it more likely that the detection by the virusscanner will be unreliable, and that some instances of the virus may be able toavoid detection.Metamorphic codeTo avoid being detected by emulation, some viruses rewrite themselvescompletely each time they are to infect new executables. Viruses that utilize thistechnique are said to be metamorphic. To enable metamorphism, a metamorphicengine is needed. A metamorphic virus is usually very large and complex. Forexample, W32/Simile consisted of over 14000 lines of Assembly language code,90% of which is part of the metamorphic engine.Vulnerability and countermeasuresThe vulnerability of operating systems to virusesJust as genetic diversity in a population decreases the chance of a singledisease wiping out a population, the diversity of software systems on a networksimilarly limits the destructive potential of viruses. This became a particularconcern in the 1990s, when Microsoft gained market dominance in desktopoperating systems and office suites. The users of Microsoft software (especiallynetworking software such as Microsoft Outlook and Internet Explorer) areespecially vulnerable to the spread of viruses. Microsoft software is targeted byvirus writers due to their desktop dominance, and is often criticized for includingmany errors and holes for virus writers to exploit. Integrated and non-integratedMicrosoft applications (such as Microsoft Office) and applications with scriptinglanguages with access to the file system (for example Visual Basic Script (VBS),and applications with networking features) are also particularly vulnerable.Although Windows is by far the most popular target operating system for viruswriters, viruses also exist on other platforms. Any operating system that allowsthird-party programs to run can theoretically run viruses. Some operatingsystems are more secure than others. Unix-based operating systems (andNTFS-aware applications on Windows NT based platforms) only allow their usersto run executables within their own protected memory space.
9. An Internet based experiment revealed that there were cases when peoplewillingly pressed a particular button to download a virus. Security analyst DidierStevens ran a half year advertising campaign on Google AdWords which said "Isyour PC virus-free? Get it infected here!". The result was 409 clicks.As of 2006, there are relatively few security exploits targeting Mac OS X (with aUnix-based file system and kernel). The number of viruses for the older Appleoperating systems, known as Mac OS Classic, varies greatly from source tosource, with Apple stating that there are only four known viruses, andindependent sources stating there are as many as 63 viruses. Many Mac OSClassic viruses targeted the HyperCard authoring environment. The difference invirus vulnerability between Macs and Windows is a chief selling point, one thatApple uses in their Get a Mac advertising. In January 2009, Symantecannounced the discovery of a trojan that targets Macs. This discovery did notgain much coverage until April 2009.While Linux, and Unix in general, has always natively blocked normal users fromhaving access to make changes to the operating system environment, Windowsusers are generally not. This difference has continued partly due to thewidespread use of administrator accounts in contemporary versions like XP. In1997, when a virus for Linux was released – known as "Bliss" – leading antivirusvendors issued warnings that Unix-like systems could fall prey to viruses just likeWindows. The Bliss virus may be considered characteristic of viruses – asopposed to worms – on Unix systems. Bliss requires that the user run it explicitly,and it can only infect programs that the user has the access to modify. UnlikeWindows users, most Unix users do not log in as an administrator user except toinstall or configure software; as a result, even if a user ran the virus, it could notharm their operating system. The Bliss virus never became widespread, andremains chiefly a research curiosity. Its creator later posted the source code toUsenet, allowing researchers to see how it worked.The role of software developmentBecause software is often designed with security features to preventunauthorized use of system resources, many viruses must exploit software bugsin a system or application to spread. Software development strategies thatproduce large numbers of bugs will generally also produce potential exploits.Anti-virus software and other preventive measuresMany users install anti-virus software that can detect and eliminate knownviruses after the computer downloads or runs the executable. There are twocommon methods that an anti-virus software application uses to detect viruses.The first, and by far the most common method of virus detection is using a list ofvirus signature definitions. This works by examining the content of the computersmemory (its RAM, and boot sectors) and the files stored on fixed or removabledrives (hard drives, floppy drives), and comparing those files against a databaseof known virus "signatures". The disadvantage of this detection method is thatusers are only protected from viruses that pre-date their last virus definitionupdate. The second method is to use a heuristic algorithm to find viruses basedon common behaviors. This method has the ability to detect novel viruses thatanti-virus security firms have yet to create a signature for.
10. Some anti-virus programs are able to scan opened files in addition to sent andreceived email messages "on the fly" in a similar manner. This practice is knownas "on-access scanning". Anti-virus software does not change the underlyingcapability of host software to transmit viruses. Users must update their softwareregularly to patch security holes. Anti-virus software also needs to be regularlyupdated in order to recognize the latest threats.One may also minimize the damage done by viruses by making regular backupsof data (and the operating systems) on different media, that are either keptunconnected to the system (most of the time), read-only or not accessible forother reasons, such as using different file systems. This way, if data is lostthrough a virus, one can start again using the backup (which should preferablybe recent).If a backup session on optical media like CD and DVD is closed, it becomesread-only and can no longer be affected by a virus (so long as a virus or infectedfile was not copied onto the CD/DVD). Likewise, an operating system on abootable CD can be used to start the computer if the installed operating systemsbecome unusable. Backups on removable media must be carefully inspectedbefore restoration. The Gammima virus, for example, propagates via removableflash drives.Recovery methodsOnce a computer has been compromised by a virus, it is usually unsafe tocontinue using the same computer without completely reinstalling the operatingsystem. However, there are a number of recovery options that exist after acomputer has a virus. These actions depend on severity of the type of virus.Virus removalOne possibility on Windows Me, Windows XP, Windows Vista and Windows 7 isa tool known as System Restore, which restores the registry and critical systemfiles to a previous checkpoint. Often a virus will cause a system to hang, and asubsequent hard reboot will render a system restore point from the same daycorrupt. Restore points from previous days should work provided the virus is notdesigned to corrupt the restore files or also exists in previous restore points.Some viruses, however, disable System Restore and other important tools suchas Task Manager and Command Prompt. An example of a virus that does this isCiaDoor. However, many such viruses can be removed by rebooting thecomputer, entering Windows safe mode, and then using system tools.Administrators have the option to disable such tools from limited users for variousreasons (for example, to reduce potential damage from and the spread ofviruses). A virus can modify the registry to do the same even if the Administratoris controlling the computer; it blocks all users including the administrator fromaccessing the tools. The message "Task Manager has been disabled by youradministrator" may be displayed, even to the administrator.Users running a Microsoft operating system can access Microsofts website torun a free scan, provided they have their 20-digit registration number. Manywebsites run by anti-virus software companies provide free online virus scanning,with limited cleaning facilities (the purpose of the sites is to sell anti-virusproducts). Some websites allow a single suspicious file to be checked by many
11. antivirus programs in one operation.Operating system reinstallationReinstalling the operating system is another approach to virus removal. Itinvolves either reformatting the computers hard drive and installing the OS andall programs from original media, or restoring the entire partition with a cleanbackup image. User data can be restored by booting from a Live CD, or puttingthe hard drive into another computer and booting from its operating system withgreat care not to infect the second computer by executing any infected programson the original drive; and once the system has been restored precautions mustbe taken to avoid reinfection from a restored executable file.These methods are simple to do, may be faster than disinfecting a computer, andare guaranteed to remove any malware. If the operating system and programsmust be reinstalled from scratch, the time and effort to reinstall, reconfigure, andrestore user preferences must be taken into account. Restoring from an image ismuch faster, totally safe, and restores the exact configuration to the state it wasin when the image was made, with no further trouble.See alsoAdwareAntivirus softwareComputer insecurityComputer wormCrimewareCryptovirologyLinux malwareList of computer virus hoaxes Computer security portalList of computer virusesList of computer viruses (all)MalwareMobile virusesMultipartite virusSpamSpywareTrojan horse (computing)Virus hoaxReferences^ a b Dr. Solomons Virus Encyclopedia, 1995, ISBN 1897661002, Abstract athttp://vx.netlux.org/lib/aas10.html^ Jussi Parikka (2007) "Digital Contagions. A Media Archaeology of ComputerViruses", Peter Lang: New York. Digital Formations-series. ISBN978-0-8204-8837-0, p. 19^ http://www.bartleby.com/61/97/C0539700.html^ "What is a Computer Virus?". Actlab.utexas.edu. 1996-03-31. Retrieved2010-08-27.
12. ^ von Neumann, John (1966). "Theory of Self-Reproducing Automata". Essayson Cellular Automata (University of Illinois Press): 66–87. Retrieved June 10.,2010.^ Risak, Veith (1972), "Selbstreproduzierende Automaten mit minimalerInformationsübertragung", Zeitschrift für Maschinenbau und Elektrotechnik^ Kraus, Jürgen (February 1980), Selbstreproduktion bei Programmen^ Cohen, Fred (1984), Computer Viruses - Theory and Experiments^ Gunn, J.B. (June 1984). "Use of virus functions to provide a virtual APLinterpreter under user control". ACM SIGAPL APL Quote Quad archive (ACMNew York, NY, USA) 14 (4): 163–168. ISSN 0163-6006.^ "Virus list". Retrieved 2008-02-07.^ Thomas Chen, Jean-Marc Robert (2004). "The Evolution of Viruses andWorms". Retrieved 2009-02-16.^ Jussi Parikka (2007) "Digital Contagions. A Media Archaeology of ComputerViruses", Peter Lang: New York. Digital Formations-series. ISBN978-0-8204-8837-0, p. 50^ See page 86 of Computer Security Basics by Deborah Russell and G. T.Gangemi. OReilly, 1991. ISBN 0937175714^ a b Anick Jesdanun (1 September 2007). "School prank starts 25 years ofsecurity woes". CNBC. Retrieved 2010-01-07.^ "The anniversary of a nuisance".[dead link]^ "Boot sector virus repair". Antivirus.about.com. 2010-06-10. Retrieved2010-08-27.^ "Amjad Farooq Alvi Inventor of first PC Virus post by Zagham". YouTube.Retrieved 2010-08-27.^ Vesselin Bontchev. "Macro Virus Identification Problems". FRISK SoftwareInternational.^ Berend-Jan Wever. "XSS bug in hotmail login page".^ Wade Alcorn. "The Cross-site Scripting Virus".^ "Virus Bulletin : Glossary - Polymorphic virus". Virusbtn.com. 2009-10-01.Retrieved 2010-08-27.^ Perriot, Fredrick; Peter Ferrie and Peter Szor (May 2002). "Striking Similarities"(PDF). Retrieved September 9, 2007.^ "Virus Bulletin : Glossary — Metamorphic virus". Virusbtn.com. Retrieved2010-08-27.^ "Need a computer virus?- download now". Infoniac.com. Retrieved 2010-08-27.^ ""Is your PC virus-free? Get it infected here!" « Didier Stevens".Blog.didierstevens.com. 2006-10-23. Retrieved 2010-08-27.^ "Malware Evolution: Mac OS X Vulnerabilities 2005-2006". Kaspersky Lab.2006-07-24. Retrieved August 19, 2006.^ Apple - Get a Mac^ a b Sutter, John D. (22 April 2009). "Experts: Malicious program targets Macs".CNN.com. Retrieved 24 April 2009.^ McAfee. "McAfee discovers first Linux virus". news article.^ Axel Boldt. "Bliss, a Linux "virus"". news article.^ "Symantec Security Summary — W32.Gammima.AG."
13. http://www.symantec.com/security_response/writeup.jsp?docid=2007-082706-1742-99^ "Yahoo Tech: Viruses! In! Space!" http://tech.yahoo.com/blogs/null/103826^ "Symantec Security Summary — W32.Gammima.AG and removal details."http://www.symantec.com/security_response/writeup.jsp?docid=2007-082706-1742-99&tabid=3Further readingMark Russinovich, Advanced Malware Cleaning video, Microsoft TechEd: ITForum, November 2006Szor, Peter (2005). The Art of Computer Virus Research and Defense. Boston:Addison-Wesley. ISBN 0321304543.Jussi Parikka (2007) "Digital Contagions. A Media Archaeology of ComputerViruses", Peter Lang: New York. Digital Formations-series. ISBN978-0-8204-8837-0Burger, Ralf, 1991 Computer Viruses and Data ProtectionLudwig, Mark, 1996 The Little Black Book of Computer VirusesLudwig, Mark, 1995 The Giant Black Book of Computer VirusesLudwig, Mark, 1993 Computer Viruses, Artificial Life and EvolutionExternal linksViruses at the Open Directory ProjectUS Govt CERT (Computer Emergency Readiness Team) siteComputer Viruses - Theory and Experiments - The original paper published onthe topicHow Computer Viruses WorkA Brief History of PC Viruses" (early) by Dr. Alan SolomonAre Good Computer Viruses Still a Bad Idea?Protecting your Email from Viruses and Other MalWareHacking Away at the Counterculture by Andrew RossA Virus in Info-Space by Tony SampsonDr Aycocks Bad Idea by Tony SampsonDigital Monsters, Binary Aliens by Jussi ParikkaThe Universal Viral Machine" by Jussi ParikkaHypervirus: A Clinical Report" by Thierry BardiniVirus removal and other MalwareThe Cross-site Scripting VirusThe Virus UndergroundHistorys 50 Deadliest Computer Viruses by O.C. Ugwu[hide]v · d · eMalwareInfectious malwareComputer virus · Macro virus · List of computer viruses · Computer worm · List ofcomputer worms · Timeline of notable computer viruses and wormsConcealmentTrojan horse · Rootkit · BackdoorMalware for profit
14. Privacy-invasive software · Spyware · Botnet · Keystroke logging · Web threats ·Fraudulent dialer · MalbotBy operating systemLinux malware · Palm OS viruses · Mobile virusProtectionAntivirus software · Defensive computing · Firewall · Intrusion detection system ·Data loss prevention softwareLaw enforcementComputer surveillance · Operation: Bot RoastCategories: Computer viruses | Computer security exploitsWormsFrom Wikipedia, the free encyclopediaMorris Worm source code disk at the Computer History Museum.Spread of Conficker worm.A computer worm is a self-replicating malware computer program, which uses acomputer network to send copies of itself to other nodes (computers on thenetwork) and it may do so without any user intervention. This is due to securityshortcomings on the target computer. Unlike a computer virus, it does not needto attach itself to an existing program. Worms almost always cause at least someharm to the network, even if only by consuming bandwidth, whereas virusesalmost always corrupt or modify files on a targeted computer.Contents [hide]1 Payloads2 Worms with good intent3 Protecting against dangerous computer worms4 Mitigation techniques5 History6 See also7 References8 External linksPayloadsMany worms that have been created are only designed to spread, and dontattempt to alter the systems they pass through. However, as the Morris wormand Mydoom showed, even these "payload free" worms can cause majordisruption by increasing network traffic and other unintended effects. A "payload"is code in the worm designed to do more than spread the worm–it might delete
15. files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviralextortion attack, or send documents via e-mail. A very common payload forworms is to install a backdoor in the infected computer to allow the creation of a"zombie" computer under control of the worm author. Networks of such machinesare often referred to as botnets and are very commonly used by spam sendersfor sending junk email or to cloak their websites address. Spammers aretherefore thought to be a source of funding for the creation of such worms,and the worm writers have been caught selling lists of IP addresses of infectedmachines. Others try to blackmail companies with threatened DoS attacks.Backdoors can be exploited by other malware, including worms. Examplesinclude Doomjuice, which spreads better using the backdoor opened byMydoom, and at least one instance of malware taking advantage of the rootkitand backdoor installed by the Sony/BMG DRM software utilized by millions ofmusic CDs prior to late 2005.[dubious – discuss]Worms with good intentBeginning with the very first research into worms at Xerox PARC, there havebeen attempts to create useful worms. The Nachi family of worms, for example,tried to download and install patches from Microsofts website to fix vulnerabilitiesin the host system–by exploiting those same vulnerabilities. In practice, althoughthis may have made these systems more secure, it generated considerablenetwork traffic, rebooted the machine in the course of patching it, and did its workwithout the consent of the computers owner or user.Some worms, such as XSS worms, have been written for research to determinethe factors of how worms spread, such as social activity and change in userbehavior, while other worms are little more than a prank, such as one that sendsthe popular image macro of an owl with the phrase "O RLY?" to a print queue inthe infected computer. Another research proposed what seems to be the firstcomputer worm that operates on the second layer of the OSI model (Data linkLayer), it utilizes topology information such as Content-addressable memory(CAM) tables and Spanning Tree information stored in switches to propagate andprobe for vulnerable nodes until the enterprise network is covered.Most security experts regard all worms as malware, whatever their payload ortheir writers intentions.Protecting against dangerous computer wormsWorms spread by exploiting vulnerabilities in operating systems. Vendors withsecurity problems supply regular security updates (see "Patch Tuesday"), andif these are installed to a machine then the majority of worms are unable tospread to it. If a vulnerability is disclosed before the security patch released bythe vendor, a Zero-day attack is possible.Users need to be wary of opening unexpected email, and should not runattached files or programs, or visit web sites that are linked to such emails.However, as with the ILOVEYOU worm, and with the increased growth andefficiency of phishing attacks, it remains possible to trick the end-user intorunning a malicious code.
16. Anti-virus and anti-spyware software are helpful, but must be kept up-to-date withnew pattern files at least every few days. The use of a firewall is alsorecommended.In the April–June, 2008, issue of IEEE Transactions on Dependable and SecureComputing, computer scientists describe a potential new way to combat internetworms. The researchers discovered how to contain the kind of worm that scansthe Internet randomly, looking for vulnerable hosts to infect. They found that thekey is for software to monitor the number of scans that machines on a networksends out. When a machine starts sending out too many scans, it is a sign that ithas been infected, allowing administrators to take it off line and check it forviruses.Mitigation techniquesACLs in routers and switchesPacket-filtersNullroutingTCP Wrapper/libwrap enabled network service daemonsHistoryThe actual term "worm" was first used in John Brunners 1975 novel, TheShockwave Rider. In that novel, Nichlas Haflinger designs and sets off a data-gathering worm in an act of revenge against the powerful men who run a nationalelectronic information web that induces mass conformity. "You have the biggest-ever worm loose in the net, and it automatically sabotages any attempt to monitorit... Theres never been a worm with that tough a head or that long a tail!"On November 2, 1988, Robert Tappan Morris, a Cornell University computerscience graduate student, unleashed what became known as the Morris worm,disrupting perhaps 10% of the computers then on the Internet andprompting the formation of the CERT Coordination Center and Phage mailinglist. Morris himself became the first person tried and convicted under the1986 Computer Fraud and Abuse Act.See alsoComputer surveillanceComputer virusHelpful wormSpamTimeline of notable computer viruses and wormsTrojan horse (computing)XSS WormReferences^ Ray, Tiernan (February 18, 2004). "Business & Technology: E-mail virusesblamed as spam rises sharply". The Seattle Times.^ McWilliams, Brian (October 9, 2003). "Cloaking Device Made for Spammers".Wired.
17. ^ "Unavailable".^ "Uncovered: Trojans as Spam Robots". heise online.^ "Hacker threats to bookies probed". BBC News. February 23, 2004.^ Al-Salloum, Z.; et al. (2010). "A Link-Layer-Based Self-Replicating VulnerabilityDiscovery Agent". ISCC 2010.. IEEE^ USN list | Ubuntu^ Information on the Nimda Worm^ Sellke, S. H.; Shroff, N. B.; Bagchi, S. (2008). "Modeling and AutomatedContainment of Worms". IEEE Transactions on Dependable and SecureComputing 5 (2): 71–86.^ "A New Way to Protect Computer Networks from Internet Worms". Newswise.Retrieved June 5, 2008.^ Brunner, John (1975). The Shockwave Rider. New York: Ballantine Books.ISBN 0060105593.^ "The Submarine".^ During the Morris appeal process, the U.S. Court of Appeals estimated the costof removing the virus from each installation was in the range of $200–53,000.Possibly based on these numbers, Harvard spokesman Clifford Stoll estimatedthe total economic impact was between $100,000–10,000,000. "Bs2.comhomepage". Retrieved 20 November 2010.^ "Security of the Internet". CERT/CC.^ "Phage mailing list". securitydigest.org.^ Dressler, J. (2007). "United States v. Morris". Cases and Materials on CriminalLaw. St. Paul, MN: Thomson/West. ISBN 9780314177193.External linksThe Wildlist - List of viruses and worms in the wild (i.e. regularly encountered byanti-virus companies)Jose Nazario discusses worms - Worms overview by a famous securityresearcher.Computer worm suspect in courtVernalex.coms Malware Removal Guide - Guide for understanding, removingand preventing worm infectionsJohn Shoch, Jon Hupp "The "Worm" Programs - Early Experience with aDistributed Computation"RFC 1135 The Helminthiasis of the InternetSurfing Safe - A site providing tips/advice on preventing and removing viruses.Computer Worms InformationThe Case for Using Layered Defenses to Stop WormsWorm Evolution Paper from Digital Threat[hide]v · d · eMalwareInfectious malwareComputer virus · Macro virus · List of computer viruses · Computer worm · List ofcomputer worms · Timeline of notable computer viruses and wormsConcealmentTrojan horse · Rootkit · Backdoor
18. Malware for profitPrivacy-invasive software · Spyware · Botnet · Keystroke logging · Web threats ·Fraudulent dialer · MalbotBy operating systemLinux malware · Palm OS viruses · Mobile virusProtectionAntivirus software · Defensive computing · Firewall · Intrusion detection system ·Data loss prevention softwareLaw enforcementComputer surveillance · Operation: Bot Roast TrojanFrom Wikipedia, the free encyclopediaAn email box folder littered with spam messages.Spam is the use of electronic messaging systems (including most broadcastmedia, digital delivery systems) to send unsolicited bulk messagesindiscriminately. While the most widely recognized form of spam is e-mail spam,the term is applied to similar abuses in other media: instant messaging spam,Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam,online classified ads spam, mobile phone messaging spam, Internet forum spam,junk fax transmissions, social networking spam, television advertising and filesharing network spam.Spamming remains economically viable because advertisers have no operatingcosts beyond the management of their mailing lists, and it is difficult to holdsenders accountable for their mass mailings. Because the barrier to entry is solow, spammers are numerous, and the volume of unsolicited mail has becomevery high. In the year 2011 the estimated figure for spam messages are aroundseven trillion. The costs, such as lost productivity and fraud, are borne by thepublic and by Internet service providers, which have been forced to add extracapacity to cope with the deluge. Spamming has been the subject of legislation inmany jurisdictions.People who create electronic spam are called spammers.Contents [hide]1 In different media1.1 E-mail1.2 Instant Messaging1.3 Newsgroup and forum1.4 Mobile phone1.5 Online game messaging1.6 Spam targeting search engines (spamdexing)
19. 1.7 Blog, wiki, and guestbook1.8 Spam targeting video sharing sites1.9 SPIT2 Noncommercial forms3 Geographical origins4 History4.1 Pre-Internet4.2 Etymology4.3 History of Internet forms5 Trademark issues6 Cost Benefit Analyses6.1 General costs7 In crime8 Political issues9 Court cases9.1 United States9.2 United Kingdom9.3 New Zealand10 Newsgroups11 See also12 References12.1 Notes12.2 Sources13 Further reading14 External linksIn different mediaE-mailMain article: E-mail spamE-mail spam, known as unsolicited bulk Email (UBE), junk mail, or unsolicitedcommercial email (UCE), is the practice of sending unwanted e-mail messages,frequently with commercial content, in large quantities to an indiscriminate set ofrecipients. Spam in e-mail started to become a problem when the Internet wasopened up to the general public in the mid-1990s. It grew exponentially over thefollowing years, and today composes some 80 to 85% of all the email in theworld, by a "conservative estimate". Pressure to make e-mail spam illegal hasbeen successful in some jurisdictions, but less so in others. Spammers takeadvantage of this fact, and frequently outsource parts of their operations tocountries where spamming will not get them into legal trouble.Increasingly, e-mail spam today is sent via "zombie networks", networks of virus-or worm-infected personal computers in homes and offices around the globe;many modern worms install a backdoor which allows the spammer access to thecomputer and use it for malicious purposes. This complicates attempts to controlthe spread of spam, as in many cases the spam doesnt even originate from thespammer. In November 2008 an ISP, McColo, which was providing service tobotnet operators, was depeered and spam dropped 50%-75% Internet-wide. At
20. the same time, it is becoming clear that malware authors, spammers, andphishers are learning from each other, and possibly forming various kinds ofpartnerships.An industry of e-mail address harvesting is dedicated to collecting emailaddresses and selling compiled databases. Some of these address harvestingapproaches rely on users not reading the fine print of agreements, resulting inthem agreeing to send messages indiscriminately to their contacts. This is acommon approach in social networking spam such as that generated by thesocial networking site Quechup.Instant MessagingMain article: Messaging spamInstant Messaging spam makes use of instant messaging systems. Although lessubiquitous than its e-mail counterpart, according to a report from FerrisResearch, 500 million spam IMs were sent in 2003, twice the level of 2002. Asinstant messaging tends to not be blocked by firewalls, it is an especially usefulchannel for spammers. This is very common on many instant messaging systemsuch as Skype.Newsgroup and forumMain article: Newsgroup spamNewsgroup spam is a type of spam where the targets are Usenet newsgroups.Spamming of Usenet newsgroups actually pre-dates e-mail spam. Usenetconvention defines spamming as excessive multiple posting, that is, the repeatedposting of a message (or substantially similar messages). The prevalence ofUsenet spam led to the development of the Breidbart Index as an objectivemeasure of a messages "spamminess".Main article: Forum spamForum spam is the creating of messages that are advertisements or otherwiseunwanted on Internet forums. It is generally done by automated spambots. Mostforum spam consists of links to external sites, with the dual goals of increasingsearch engine visibility in highly competitive areas such as weight loss,pharmaceuticals, gambling, pornography, real estate or loans, and generatingmore traffic for these commercial websites. Some of these links contain code totrack the spambots identity if a sale goes through, when the spammer behind thespambot works on commission.Mobile phoneMain article: Mobile phone spamMobile phone spam is directed at the text messaging service of a mobile phone.This can be especially irritating to customers not only for the inconvenience butalso because of the fee they may be charged per text message received in somemarkets. The term "SpaSMS" was coined at the adnews website Adland in 2000to describe spam SMS.Online game messagingMany online games allow players to contact each other via player-to-playermessaging, chat rooms, or public discussion areas. What qualifies as spamvaries from game to game, but usually this term applies to all forms of messageflooding, violating the terms of service contract for the website. This is particularly
21. common in MMORPGs where the spammers are trying to sell game-related"items" for real-world money, chiefly among these items is in-game currency.This kind of spamming is also called Real World Trading (RWT). In the popularMMORPG Runescape, it is common for spammers to advertise sites that sellgold in multiple methods of spam. They send spam via the in-game privatemessaging system, via using emotes to gain attention, and by yelling publicly toeveryone in the area.Spam targeting search engines (spamdexing)Main article: SpamdexingSpamdexing (a portmanteau of spamming and indexing) refers to a practice onthe World Wide Web of modifying HTML pages to increase the chances of thembeing placed high on search engine relevancy lists. These sites use "black hatsearch engine optimization (SEO) techniques" to deliberately manipulate theirrank in search engines. Many modern search engines modified their searchalgorithms to try to exclude web pages utilizing spamdexing tactics. For example,the search bots will detect repeated keywords as spamming by using a grammaranalysis. If a website owner is found to have spammed the webpage to falselyincrease its page rank, the website may be penalized by search engines.Blog, wiki, and guestbookMain article: Spam in blogsBlog spam, or "blam" for short, is spamming on weblogs. In 2003, this type ofspam took advantage of the open nature of comments in the blogging softwareMovable Type by repeatedly placing comments to various blog posts thatprovided nothing more than a link to the spammers commercial web site.Similar attacks are often performed against wikis and guestbooks, both of whichaccept user contributions.Spam targeting video sharing sitesVideo sharing sites, such as YouTube, are now being frequently targeted byspammers. The most common technique involves people (or spambots) postinglinks to sites, most likely pornographic or dealing with online dating, on thecomments section of random videos or peoples profiles. Another frequently usedtechnique is using bots to post messages on random users profiles to a spamaccounts channel page, along with enticing text and images, usually of asexually suggestive nature. These pages may include their own or other usersvideos, again often suggestive. The main purpose of these accounts is to drawpeople to their link in the home page section of their profile. YouTube hasblocked the posting of such links. In addition, YouTube has implemented aCAPTCHA system that makes rapid posting of repeated comments much moredifficult than before, because of abuse in the past by mass-spammers who wouldflood peoples profiles with thousands of repetitive comments.Yet another kind is actual video spam, giving the uploaded movie a name anddescription with a popular figure or event which is likely to draw attention, orwithin the video has a certain image timed to come up as the videos thumbnailimage to mislead the viewer. The actual content of the video ends up beingtotally unrelated, a Rickroll, sometimes offensive, or just features on-screen textof a link to the site being promoted. Others may upload videos presented in an
22. infomercial-like format selling their product which feature actors and paidtestimonials, though the promoted product or service is of dubious quality andwould likely not pass the scrutiny of a standards and practices department at atelevision station or cable network.SPITSPIT (SPam over Internet Telephony) is VoIP (Voice over Internet Protocol)spam, usually using SIP (Session Initiation Protocol).Noncommercial formsE-mail and other forms of spamming have been used for purposes other thanadvertisements. Many early Usenet spams were religious or political. SerdarArgic, for instance, spammed Usenet with historical revisionist screeds. Anumber of evangelists have spammed Usenet and e-mail media with preachingmessages. A growing number of criminals are also using spam to perpetratevarious sorts of fraud, and in some cases have used it to lure people tolocations where they have been kidnapped, held for ransom, and even murdered.Geographical originsA 2009 Cisco Systems report lists the origin of spam by country as follows:Rank Country Spam messages per year (in trillions)1 Brazil 7.72 United States 6.63 India 3.64 South Korea 3.15 Turkey 2.66 Vietnam 2.57 China 2.48 Poland 2.49 Russia 2.310 Argentina 1.5HistoryPre-InternetIn the late 19th Century Western Union allowed telegraphic messages on itsnetwork to be sent to multiple destinations. The first recorded instance of a massunsolicited commercial telegram is from May 1864. Up until the GreatDepression wealthy North American residents would be deluged with nebulousinvestment offers. This problem never fully emerged in Europe to the degree thatit did in the Americas, because telegraphy was regulated by national post officesin the European region.EtymologyAccording to the Internet Society and other sources, the term spam is derivedfrom the 1970 Spam sketch of the BBC television comedy series "Monty PythonsFlying Circus". The sketch is set in a cafe where nearly every item on themenu includes Spam canned luncheon meat. As the waiter recites the Spam-
23. filled menu, a chorus of Viking patrons drowns out all conversations with a songrepeating "Spam, Spam, Spam, Spam... lovely Spam! wonderful Spam!", hence"Spamming" the dialogue. The excessive amount of Spam mentioned in thesketch is a reference to the preponderance of imported canned meat products inthe United Kingdom, particularly corned beef from Argentina, in the years afterWorld War II, as the country struggled to rebuild its agricultural base. Spamcaptured a large slice of the British market within lower economic classes andbecame a byword among British children of the 1960s for low-grade fodder dueto its commonality, monotonous taste and cheap price - hence the humour of thePython sketch.In the 1980s the term was adopted to describe certain abusive users whofrequented BBSs and MUDs, who would repeat "Spam" a huge number of timesto scroll other users text off the screen. In early Chat rooms services likePeopleLink and the early days of AOL, they actually flooded the screen withquotes from the Monty Python Spam sketch. With internet connections overphone lines, typically running at 1200 or even 300 bit/s, it could take anenormous amount of time for a spammy logo, drawn in ASCII art to scroll tocompletion on a viewers terminal. Sending an irritating, large, meaningless blockof text in this way was called spamming. This was used as a tactic by insiders ofa group that wanted to drive newcomers out of the room so the usualconversation could continue. It was also used to prevent members of rival groupsfrom chatting—for instance, Star Wars fans often invaded Star Trek chat rooms,filling the space with blocks of text until the Star Trek fans left. This act,previously called flooding or trashing, came to be known as spamming. Theterm was soon applied to a large amount of text broadcast by many users.It later came to be used on Usenet to mean excessive multiple posting—therepeated posting of the same message. The unwanted message would appear inmany if not all newsgroups, just as Spam appeared in nearly all the menu itemsin the Monty Python sketch. The first usage of this sense was by Joel Furr inthe aftermath of the ARMM incident of March 31, 1993, in which a piece ofexperimental software released dozens of recursive messages onto thenews.admin.policy newsgroup. This use had also become established—tospam Usenet was flooding newsgroups with junk messages. The word was alsoattributed to the flood of "Make Money Fast" messages that clogged manynewsgroups during the 1990s. In 1998, the New OxfordDictionary of English, which had previously only defined "spam" in relation to thetrademarked food product, added a second definition to its entry for "spam":"Irrelevant or inappropriate messages sent on the Internet to a large number ofnewsgroups or users."There are several popular false etymologies of the word "spam". One,promulgated by early spammers Laurence Canter and Martha Siegel, is that"spamming" is what happens when one dumps a can of Spam luncheon meatinto a fan blade. Some others are the backronym stupidpointless annoying messages." There was also an effort todifferentiate between types of spam. That which was sent indiscriminately to anye-mail address was true spam while that which was targeted to more likely
24. prospects, although just as unsolicited, was called velveeta (after the cheeseproduct). But this latter term didnt persist.History of Internet formsThe earliest documented spam was a message advertising the availability of anew model of Digital Equipment Corporation computers sent to 393 recipients onARPANET in 1978, by Gary Thuerk. The term "spam" for this practicehad not yet been applied. Spamming had been practiced as a prank byparticipants in multi-user dungeon games, to fill their rivals accounts withunwanted electronic junk. The first known electronic chain letter, titled MakeMoney Fast, was released in 1988.The first major commercial spam incident started on March 5, 1994, when ahusband and wife team of lawyers, Laurence Canter and Martha Siegel, beganusing bulk Usenet posting to advertise immigration law services. The incidentwas commonly termed the "Green Card spam", after the subject line of thepostings. Defiant in the face of widespread condemnation, the attorneys claimedtheir detractors were hypocrites or "zealouts", claimed they had a free speechright to send unwanted commercial messages, and labeled their opponents "anti-commerce radicals." The couple wrote a controversial book entitled How to Makea Fortune on the Information Superhighway.Later that year a poster operating under the alias Serdar Argic postedantagonistic messages denying the Armenian Genocide to tens of thousands ofUsenet discussions that had been searched for the word Turkey. Within a fewyears, the focus of spamming (and anti-spam efforts) moved chiefly to e-mail,where it remains today. Arguably, the aggressive email spamming by anumber of high-profile spammers such as Sanford Wallace of Cyber Promotionsin the mid-to-late 1990s contributed to making spam predominantly an emailphenomenon in the public mind. By 2009, the majority of spamsent around the world was in the English language; spammers began usingautomatic translation services to send spam in other languages.Trademark issuesHormel Foods Corporation, the maker of Spam luncheon meat, does not objectto the Internet use of the term "spamming". However, they did ask that thecapitalized word "Spam" be reserved to refer to their product and trademark.By and large, this request is obeyed in forums which discuss spam. In HormelFoods v SpamArrest, Hormel attempted to assert its trademark rights againstSpamArrest, a software company, from using the mark "spam", since Hormelowns the trademark. In a dilution claim, Hormel argued that Spam Arrests use ofthe term "spam" had endangered and damaged "substantial goodwill and goodreputation" in connection with its trademarked lunch meat and related products.Hormel also asserts that Spam Arrests name so closely resembles its luncheonmeat that the public might become confused, or might think that Hormelendorses Spam Arrests products.Hormel did not prevail. Attorney Derek Newman responded on behalf of SpamArrest: "Spam has become ubiquitous throughout the world to describeunsolicited commercial e-mail. No company can claim trademark rights on a
25. generic term." Hormel stated on its website: "Ultimately, we are trying to avoidthe day when the consuming public asks, Why would Hormel Foods name itsproduct after junk email?".Hormel also made two attempts that were dismissed in 2005 to revoke the marks"SPAMBUSTER" and Spam Cube. Hormels Corporate Attorney MelanieJ. Neumann also sent SpamCops Julian Haight a letter on August 27, 1999requesting that he delete an objectionable image (a can of Hormels Spamluncheon meat product in a trash can), change references to UCE spam to alllower case letters, and confirm his agreement to do so.Cost Benefit AnalysesThe European Unions Internal Market Commission estimated in 2001 that "junke-mail" cost Internet users €10 billion per year worldwide. The Californialegislature found that spam cost United States organizations alone more than$13 billion in 2007, including lost productivity and the additional equipment,software, and manpower needed to combat the problem. Spams directeffects include the consumption of computer and network resources, and the costin human time and attention of dismissing unwanted messages.In addition, spam has costs stemming from the kinds of spam messages sent,from the ways spammers send them, and from the arms race betweenspammers and those who try to stop or control spam. In addition, there are theopportunity cost of those who forgo the use of spam-afflicted systems. There arethe direct costs, as well as the indirect costs borne by the victims—both thoserelated to the spamming itself, and to other crimes that usually accompany it,such as financial theft, identity theft, data and intellectual property theft, virus andother malware infection, child pornography, fraud, and deceptive marketing.The cost to providers of search engines is not insignificant: "The secondaryconsequence of spamming is that search engine indexes are inundated withuseless pages, increasing the cost of each processed query". The methods ofspammers are likewise costly. Because spamming contravenes the vast majorityof ISPs acceptable-use policies, most spammers have for many years gone tosome trouble to conceal the origins of their spam. E-mail, Usenet, and instant-message spam are often sent through insecure proxy servers belonging tounwilling third parties. Spammers frequently use false names, addresses, phonenumbers, and other contact information to set up "disposable" accounts atvarious Internet service providers. In some cases, they have used falsified orstolen credit card numbers to pay for these accounts. This allows them to quicklymove from one account to the next as each one is discovered and shut down bythe host ISPs.The costs of spam also include the collateral costs of the struggle betweenspammers and the administrators and users of the media threatened byspamming.  Many users are bothered by spam because it impinges upon theamount of time they spend reading their e-mail. Many also find the content ofspam frequently offensive, in that pornography is one of the most frequentlyadvertised products. Spammers send their spam largely indiscriminately, sopornographic ads may show up in a work place e-mail inbox—or a childs, the
26. latter of which is illegal in many jurisdictions. Recently, there has been anoticeable increase in spam advertising websites that contain child pornography.Some spammers argue that most of these costs could potentially be alleviated byhaving spammers reimburse ISPs and persons for their material.There are three problems with this logic: first, the rate of reimbursement theycould credibly budget is not nearly high enough to pay the direct costs[citationneeded], second, the human cost (lost mail, lost time, and lost opportunities) isbasically unrecoverable, and third, spammers often use stolen bank accountsand credit cards to finance their operations, and would conceivably do so to payoff any fines imposed.E-mail spam exemplifies a tragedy of the commons: spammers use resources(both physical and human), without bearing the entire cost of those resources. Infact, spammers commonly do not bear the cost at all. This raises the costs foreveryone. In some ways spam is even a potential threat to the entire e-mailsystem, as operated in the past. Since e-mail is so cheap to send, a tiny numberof spammers can saturate the Internet with junk mail. Although only a tinypercentage of their targets are motivated to purchase their products (or fall victimto their scams), the low cost may provide a sufficient conversion rate to keep thespamming alive. Furthermore, even though spam appears not to be economicallyviable as a way for a reputable company to do business, it suffices forprofessional spammers to convince a tiny proportion of gullible advertisers that itis viable for those spammers to stay in business. Finally, new spammers go intobusiness every day, and the low costs allow a single spammer to do a lot of harmbefore finally realizing that the business is not profitable.Some companies and groups "rank" spammers; spammers who make the newsare sometimes referred to by these rankings. The secretive nature ofspamming operations makes it difficult to determine how proliferated anindividual spammer is, thus making the spammer hard to track, block or avoid.Also, spammers may target different networks to different extents, depending onhow successful they are at attacking the target. Thus considerable resources areemployed to actually measure the amount of spam generated by a single personor group. For example, victims that use common anti-spam hardware, softwareor services provide opportunities for such tracking. Nevertheless, such rankingsshould be taken with a grain of salt.General costsIn all cases listed above, including both commercial and non-commercial, "spamhappens" because of a positive Cost-benefit analysis result if the cost torecipients is excluded as an externality the spammer can avoid paying.Cost is the combination ofOverhead: The costs and overhead of electronic spamming include bandwidth,developing or acquiring an email/wiki/blog spam tool, taking over or acquiring ahost/zombie, etc.Transaction cost: The incremental cost of contacting each additional recipientonce a method of spamming is constructed, multiplied by the number ofrecipients. (see CAPTCHA as a method of increasing transaction costs)Risks: Chance and severity of legal and/or public reactions, including damages
27. and punitive damagesDamage: Impact on the community and/or communication channels beingspammed (see Newsgroup spam)Benefit is the total expected profit from spam, which may include anycombination of the commercial and non-commercial reasons listed above. It isnormally linear, based on the incremental benefit of reaching each additionalspam recipient, combined with the conversion rate. The conversion rate forbotnet-generated spam has recently been measured to be around one in12,000,000 for pharmaceutical spam and one in 200,000 for infection sites asused by the Storm botnet. They specifically say in the paper "After 26 days,and almost 350 million e-mail messages, only 28 sales resulted".Spam is prevalent on the Internet because the transaction cost of electroniccommunications is radically less than any alternate form of communication, faroutweighing the current potential losses, as seen by the amount of spamcurrently in existence. Spam continues to spread to new forms of electroniccommunication as the gain (number of potential recipients) increases to levelswhere the cost/benefit becomes positive. Spam has most recently evolved toinclude wikispam and blogspam as the levels of readership increase to levelswhere the overhead is no longer the dominating factor. According to the aboveanalysis, spam levels will continue to increase until the cost/benefit analysis isbalanced.In crimeSpam can be used to spread computer viruses, trojan horses or other malicioussoftware. The objective may be identity theft, or worse (e.g., advance fee fraud).Some spam attempts to capitalize on human greed whilst other attempts to usethe victims inexperience with computer technology to trick them (e.g., phishing).On May 31, 2007, one of the worlds most prolific spammers, Robert AlanSoloway, was arrested by U.S. authorities. Described as one of the top tenspammers in the world, Soloway was charged with 35 criminal counts, includingmail fraud, wire fraud, e-mail fraud, aggravated identity theft and moneylaundering. Prosecutors allege that Soloway used millions of "zombie"computers to distribute spam during 2003. This is the first casein which U.S. prosecutors used identity theft laws to prosecute a spammer fortaking over someone elses Internet domain name.Political issuesSpamming remains a hot discussion topic. In 2004, the seized Porsche of anindicted spammer was advertised on the Internet; this revealed the extent ofthe financial rewards available to those who are willing to commit duplicitous actsonline. However, some of the possible means used to stop spamming may leadto other side effects, such as increased government control over the Internet,loss of privacy, barriers to free expression, and the commercialization of e-mail.One of the chief values favored by many long-time Internet users and experts, aswell as by many members of the public, is the free exchange of ideas. Many
28. have valued the relative anarchy of the Internet, and bridle at the idea ofrestrictions placed upon it. A common refrain from spam-fightersis that spamming itself abridges the historical freedom of the Internet, byattempting to force users to carry the costs of material which they would notchoose.An ongoing concern expressed by parties such as the Electronic FrontierFoundation and the ACLU has to do with so-called "stealth blocking", a term forISPs employing aggressive spam blocking without their users knowledge. Thesegroups concern is that ISPs or technicians seeking to reduce spam-related costsmay select tools which (either through error or design) also block non-spam e-mail from sites seen as "spam-friendly". SPEWS is a common target of thesecriticisms. Few object to the existence of these tools; it is their use in filtering themail of users who are not informed of their use which draws fire.Some see spam-blocking tools as a threat to free expression—and laws againstspamming as an untoward precedent for regulation or taxation of e-mail and theInternet at large. Even though it is possible in some jurisdictions to treat somespam as unlawful merely by applying existing laws against trespass andconversion, some laws specifically targeting spam have been proposed. In 2004,United States passed the CAN-SPAM Act of 2003 which provided ISPs with toolsto combat spam. This act allowed Yahoo! to successfully sue Eric Head,reportedly one of the biggest spammers in the world, who settled the lawsuit forseveral thousand U.S. dollars in June 2004. But the law is criticized by many fornot being effective enough. Indeed, the law was supported by some spammersand organizations which support spamming, and opposed by many in the anti-spam community. Examples of effective anti-abuse laws that respect free speechrights include those in the U.S. against unsolicited faxes and phone calls, andthose in Australia and a few U.S. states against spam.In November 2004, Lycos Europe released a screen saver called make LOVEnot SPAM which made Distributed Denial of Service attacks on the spammersthemselves. It met with a large amount of controversy and the initiative ended inDecember 2004.While most countries either outlaw or at least ignore spam, Bulgaria is the firstand until now only one to partially legalize it. According to recent changes in theBulgarian E-Commerce act anyone can send spam to mailboxes, owned bycompany or organization, as long as there is warning that this may be unsolicitedcommercial email in the message body. The law contains many other inadequatetexts - for example the creation of a nationwide public electronic register of emailaddresses that do not want to receive spam, something valuable only as sourcefor e-mail address harvesting.Anti-spam policies may also be a form of disguised censorship, a way to banaccess or reference to questioning alternative forums or blogs by an institution.This form of occult censorship is mainly used by private companies when theycan not muzzle criticism by legal ways.Court casesSee also: E-mail spam legislation by country
29. United StatesSanford Wallace and Cyber Promotions were the target of a string of lawsuits,many of which were settled out of court, up through the famous 1998 Earthlinksettlementwhich put Cyber Promotions out of business. AttorneyLaurence Canter was disbarred by the Tennessee Supreme Court in 1997 forsending prodigious amounts of spam advertising his immigration law practice. In2005, Jason Smathers, a former America Online employee, pled guilty tocharges of violating the CAN-SPAM Act. In 2003, he sold a list of approximately93 million AOL subscriber e-mail addresses to Sean Dunaway who, in turn, soldthe list to spammers.In 2007, Robert Soloway lost a case in a federal court against the operator of asmall Oklahoma-based Internet service provider who accused him of spamming.U.S. Judge Ralph G. Thompson granted a motion by plaintiff Robert Braver for adefault judgment and permanent injunction against him. The judgment includes astatutory damages award of $10,075,000 under Oklahoma law.In June 2007, two men were convicted of eight counts stemming from sendingmillions of e-mail spam messages that included hardcore pornographic images.Jeffrey A. Kilbride, 41, of Venice, California was sentenced to six years in prison,and James R. Schaffer, 41, of Paradise Valley, Arizona, was sentenced to 63months. In addition, the two were fined $100,000, ordered to pay $77,500 inrestitution to AOL, and ordered to forfeit more than $1.1 million, the amount ofillegal proceeds from their spamming operation. The charges includedconspiracy, fraud, money laundering, and transportation of obscene materials.The trial, which began on June 5, was the first to include charges under the CAN-SPAM Act of 2003, according to a release from the Department of Justice. Thespecific law that prosecutors used under the CAN-Spam Act was designed tocrack down on the transmission of pornography in spam.In 2005, Scott J. Filary and Donald E. Townsend of Tampa, Florida were sued byFlorida Attorney General Charlie Crist for violating the Florida Electronic MailCommunications Act. The two spammers were required to pay $50,000 USDto cover the costs of investigation by the state of Florida, and a $1.1 millionpenalty if spamming were to continue, the $50,000 was not paid, or the financialstatements provided were found to be inaccurate. The spamming operation wassuccessfully shut down.Edna Fiedler, 44, of Olympia, Washington, on June 25, 2008, pleaded guilty in aTacoma court and was sentenced to 2 years imprisonment and 5 years ofsupervised release or probation in an Internet $1 million "Nigerian check scam."She conspired to commit bank, wire and mail fraud, against US citizens,specifically using Internet by having had an accomplice who shipped counterfeitchecks and money orders to her from Lagos, Nigeria, last November. Fiedlershipped out $ 609,000 fake check and money orders when arrested andprepared to send additional $ 1.1 million counterfeit materials. Also, the U.S.Postal Service recently intercepted counterfeit checks, lottery tickets and eBayoverpayment schemes with a face value of $2.1 billion.United KingdomIn the first successful case of its kind, Nigel Roberts from the Channel Islands
30. won £270 against Media Logistics UK who sent junk e-mails to his personalaccount.In January 2007, a Sheriff Court in Scotland awarded Mr. Gordon Dick £750 (thethen maximum sum which could be awarded in a Small Claim action) plusexpenses of £618.66, a total of £1368.66 against Transcom Internet ServicesLtd. for breaching anti-spam laws. Transcom had been legallyrepresented at earlier hearings but were not represented at the proof, so GordonDick got his decree by default. It is the largest amount awarded in compensationin the United Kingdom since Roberts -v- Media Logistics case in 2005 above, butit is not known if Mr Dick ever received anything. (An image of Media Logisticscheque is shown on Roberts website ) Both Roberts and Dick are well knownfigures in the British Internet industry for other things. Dick is currently InterimChairman of Nominet UK (the manager of .UK and .CO.UK) while Roberts isCEO of CHANNELISLES.NET (manager of .GG and .JE).Despite the statutory tort that is created by the Regulations implementing the ECDirective, few other people have followed their example. As the Courts engage inactive case management, such cases would probably now be expected to besettled by mediation and payment of nominal damages.New ZealandIn October 2008, a vast international internet spam operation run from NewZealand was cited by American authorities as one of the world’s largest, and fora time responsible for up to a third of all unwanted emails. In a statement the USFederal Trade Commission (FTC) named Christchurch’s Lance Atkinson as oneof the principals of the operation. New Zealand’s Internal Affairs announced ithad lodged a $200,000 claim in the High Court against Atkinson and his brotherShane Atkinson and courier Roland Smits, after raids in Christchurch. Thismarked the first prosecution since the Unsolicited Electronic Messages Act(UEMA) was passed in September 2007. The FTC said it had received morethan three million complaints about spam messages connected to this operation,and estimated that it may be responsible for sending billions of illegal spammessages. The US District Court froze the defendants’ assets to preserve themfor consumer redress pending trial. U.S. co-defendant Jody Smith forfeitedmore than $800,000 and faces up to five years in prison for charges to which heplead guilty.Newsgroupsnews.admin.net-abuse.emailSee also Internet portalAddress munging (avoidance technique)Advance fee fraud (Nigerian spam)Anti-spam techniquesBacn (electronic)E-mail fraudIdentity theft
31. Image spamInternet TrollJob scamsJunk mailList of spammersMalwareNetwork Abuse ClearinghousePhishingScamScad (scam ad)Social networking spamSORBSSpamSpam LitSpamCopSpamigationSPIT (SPam over Internet Telephony)SpoetrySporgeryVirus (computer)VishingHistoryHoward CarmackMake money fastSanford WallaceSpam KingUsenet Death PenaltyUUnetReferencesNotes^ The Spamhaus Project - The Definition Of Spam^ a b Gyongyi, Zoltan; Garcia-Molina, Hector (2005). "Web spam taxonomy".Proceedings of the First International Workshop on Adversarial InformationRetrieval on the Web (AIRWeb), 2005 in The 14th International World Wide WebConference (WWW 2005) May 10, (Tue)-14 (Sat), 2005, Nippon ConventionCenter (Makuhari Messe), Chiba, Japan.. New York, N.Y.: ACM Press. ISBN1-59593-046-9^ "?". maawg.org.^ FileOn List Builder-Extract URL,MetaTags,Email,Phone,Fax from www-Optimized Webcrawler^ Saul Hansell Social network launches worldwide spam campaign New YorkTimes, September 13, 2007^ The (Evil) Genius of Comment Spammers - Wired Magazine, March 2004^ Fabrício Benevenuto, Tiago Rodrigues, Virgílio Almeida, Jussara Almeida andMarcos Gonçalves. Detecting Spammers and Content Promoters in Online Video
32. Social Networks. In ACM SIGIR Conference, Boston, MA, USA, July 2009..^ See: Advance fee fraud^ SA cops, Interpol probe murder - News24.com, 2004-12-31^ Brasil assume a liderança do spam mundial em 2009, diz Cisco (Portuguese)^ "Getting the message, at last". The Economist. 2007-12-14.^ "RFC 2635 - DONx27T SPEW A Set of Guidelines for Mass UnsolicitedMailings and Postings (spam*):". Retrieved 2010-09-29.^ "The Origin of the word Spam:". Retrieved 2010-09-20.^ a b Origin of the term "spam" to mean net abuse^ The Origins of Spam in Star Trek chat rooms^ Spamming? (rec.games.mud) - Google Groups USENET archive, 1990-09-26^ a b At 30, Spam Going Nowhere Soon - Interviews with Gary Thuerk and JoelFurr^ Darren Waters (31 march 2008). "Spam blights e-mail 15 years on".news.bbc.co.uk. Retrieved 26 August 2010.^ "Oxford dictionary adds Net terms" on News.com^ Reaction to the DEC Spam of 1978^ a b c Tom Abate (May 3, 2008). "A very unhappy birthday to spam, age 30".San Francisco Chronicle.^ Danchev, Dancho. "Spammers go multilingual, use automatic translationservices." ZDNet. July 28, 2009. Retrieved on August 31, 2009.^ "?". spam.com., Official SPAM Website^ Hormel Foods v SpamArrest, Motion for Summary Judgment, RedactedVersion (PDF)^ Hormel Foods Corpn v Antilles Landscape Investments NV (2005) EWHC 13(Ch)[dead link]^ "Hormel Foods Corporation v. Spam Cube, Inc". United States Patent andTrademark Office. Retrieved 2008-02-12.^ Letter from Hormels Corporate Attorney Melanie J. Neumann to SpamCopsJulian Haight^ "Data protection: "Junk" e-mail costs internet users 10 billion a year worldwide -Commission study"^ California business and professions code^ Spam Cost Calculator: Calculate enterprise spam cost?^ Thank the Spammers - William R. James 2003-03-10^ Spamhaus "TOP 10 spam service ISPs"^ The 10 Worst ROKSO Spammers^ Kanich, C.; C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson and S.Savage (2008-10-28). "Spamalytics: An Empirical Analysis of Spam MarketingConversion" (PDF). Proceedings of Conference on Computer andCommunications Security (CCS). Alexandria, VA, USA. Retrieved 2008-11-05.^ a b Alleged Seattle Spammer arrested - CNET News.com^ timewarner.com^ See for instance the black list of the French wikipedia encyclopedia^ U.S. v Jason Smathers and Sean Dunaway, amended complaint, US DistrictCourt for the Southern District of New York (2003). Retrieved 7 March 2007, from
33. "?". thesmokinggun.com.^ Ex-AOL employee pleads guilty in spam case. (2005, February 4). CNN.Retrieved 7 March 2007, from "Ex-AOL employee pleads guilty in spam case".CNN.com. February 5, 2005. Retrieved 27 August 2010.^ Braver v. Newport Internet Marketing Corporation et al. -U.S. District Court -Western District of Oklahoma (Oklahoma City), 2005-02-22^ "Two Men Sentenced for Running International Pornographic SpammingBusiness". United States Department of Justice. October 12, 2007. Retrieved2007-10-25.^ Gaudin, Sharon, Two Men Convicted Of Spamming PornographyInformationWeek, June 26, 2007^ "Crist Announces First Case Under Florida Anti-Spam Law". Office of theFlorida Attorney General. Retrieved 2008-02-23.^ "Crist: Judgment Ends Duos Illegal Spam, Internet Operations". Office of theFlorida Attorney General. Retrieved 2008-02-23.^ "Woman gets prison for Nigerian scam". upi.com.^ "Woman Gets Two Years for Aiding Nigerian Internet Check Scam (PC World)".yahoo.com.[dead link]^ Businessman wins e-mail spam case - BBC News, 2005-12-27^ Gordon Dick v Transcom Internet Service Ltd.^ Article 13-Unsolicited communications^ website^ Kiwi spam network was worlds biggest^ Court Orders Australia-based Leader of International Spam Network to Pay$15.15 MillionSourcesSpecter, Michael (2007-08-06). "Damn Spam". The New Yorker. Retrieved2007-08-02.Further readingSjouwerman, Stu; Posluns, Jeffrey, "Inside the spam cartel: trade secrets fromthe dark side", Elsevier/Syngress; 1st edition, November 27, 2004. ISBN978-1-932266-86-3External links Wikimedia Commons has media related to: Electronic spamSpamtrackers SpamWiki: a peer-reviewed spam information and analysisresource.Federal Trade Commission page advising people to forward spam e-mail to themSlamming Spamming Resource on SpamWhy am I getting all this spam? CDTCybertelecom:: Federal spam law and policyReaction to the DEC Spam of 1978 Overview and text of the first known internetemail spam.Malware City - The Spam Omelette BitDefender’s weekly report on spam trendsand techniques.
34. 1 December 2009: arrest of a major spammerEatSpam.org - This website provides you with disposable e-mail addresseswhich expire after 15 Minutes. You can read and reply to e-mails that are sent tothe temporary e-mail address within the given time frame.Spam Analysis of 2010 and estimated Spam for 2011 - Article about SpamAnalysis of 2010 and estimated Spam for 2011[hide]v · d · eSpammingProtocolsE-mail spamAddress munging · Bulk email software · Directory Harvest Attack · Joe job ·DNSBL · DNSWL · Spambot · Pink contractOtherAutodialer/Robocall · Flyposting · Junk fax · Messaging · Mobile phone ·Newsgroup · Telemarketing · VoIPAnti-spamDisposable e-mail address · E-mail authentication · SORBS · SpamCop ·Spamhaus · List poisoning · Bayesian spam filtering · Network AbuseClearinghouseSpamdexingKeyword stuffing · Google bomb · Scraper site · Link farm · Cloaking · Doorwaypage · URL redirection · Spam blogs · Sping · Forum spam · Blog spam · Socialnetworking spam · Referrer spam · Parasite hostingInternet fraudAdvance-fee fraud · Lottery scam · Make Money Fast · Phishing · Vishing AdwareFrom Wikipedia, the free encyclopediaFor the Lavasoft anti-virus program, see Ad-Aware.This article needs additional citations for verification.Please help improve this article by adding reliable references. Unsourced material may bechallenged and removed. (August 2010)Adware, or advertising-supported software, is any software package which automatically plays,displays, or downloads advertisements to a computer. These advertisements can be in the formof a pop-up. The object of the Adware is to generate revenue for its author. Adware, by itself, isharmless; however, some adware may come with integrated spyware such as keyloggers andother privacy-invasive software.Contents [hide]1 Application1.1 Malware2 Prevention and detection
35. 3 Examples of adware4 Examples of advertising-delivery tools5 See also6 References7 Further reading8 External linksApplicationAdvertising functions are integrated into or bundled with the software, which is often designed tonote what Internet sites the user visits and to present advertising pertinent to the types of goodsor services featured there. Adware is usually seen by the developer as a way to recoverdevelopment costs, and in some cases it may allow the software to be provided to the user free ofcharge or at a reduced price. The income derived from presenting advertisements to the usermay allow or motivate the developer to continue to develop, maintain and upgrade the softwareproduct. Conversely, the advertisements may be seen by the user as interruptions orannoyances, or as distractions from the task at hand.Some adware is also shareware, and so the word may be used as term of distinction todifferentiate between types of shareware software. What differentiates adware from othershareware is that it is primarily advertising-supported. Users may also be given the option to payfor a "registered" or "licensed" copy to do away with the advertisements. The Eudora e-mail clientis an example of an adware "mode" in a program. After a trial period during which all programfeatures are available, the user is offered a choice: free of charge with limited functionality, amode with full functionality which displays advertisements for Eudora, or a paid mode thatenables all features and turns off the ads.MalwareSome adware can also be classified as spyware, a type of malware (malicious software) whichsteals information. For example BonziBUDDY, an application marketed as an "Intelligent softwareagent", corrupted many of the users system files, forcing the display of many obsceneadvertisements (composed mostly of infected Flash coding); these and the main applicationlogged browsing details and sent them to various third parties.Prevention and detectionPrograms have been developed to detect, quarantine, and remove spyware, including Ad-Aware,Malwarebytes Anti-Malware, Spyware Doctor and Spybot - Search & Destroy. In addition, almostall commercial antivirus software currently detect adware and spyware, or offer a separatespyware detection package.The reluctance to add adware and spyware detection to commercial antivirus products was fueledby a fear of lawsuits. Kaspersky, for example, was sued by Zango for blockingthe installation of their products. Zango software and components are almost universally detectedas adware nowadays.Examples of adware180SearchAssistantBonzi BuddyClipGenieComet CursorCydoorDollarRevenueErrorSafeGatorSecurity ToolVirusProtectProExamples of advertising-delivery toolsAsk.com ToolbarFlashGet
36. Mirar ToolbarMyWay SearchbarTribal FusionViewpoint Media PlayerWhenU SaveNowZango productsZwinkySee alsoComputer insecurityGreynetHosts fileTyphoid adwareReferences^ Aaron Schwabach (2005). Internet and the Law: Technology, Society, and Compromises. ABC-CLIO. pp. 10. ISBN 978-1-85109-731-9.^ Tulloch, Mitch (2003). Koch, Jeff; Haynes, Sandra. eds. Microsoft Encyclopedia of Security.Redmond, Washington: Microsoft Press. p. 16. ISBN 0-7356-1877-1. "Any software that installsitself on your system without your knowledge and displays advertisements when the userbrowses the Internet."^ "Adware". Adware Protection Information. McAfee, Inc. Retrieved 2010-08-18.^ "adware". Dictionary.coms 21st Century Lexicon. Dictionary.com, LLC. Retrieved 18 August2010. "a software application in which advertisements are displayed while the program is running,esp. in pop-up windows or banners, and which often is installed without the users knowledge orconsent; also called advertising-supported software"^ Honeycutt, Jerry (20 April 2004). "How to protect your computer from Spyware and Adware".Microsoft.com. Microsoft corporation. "Things are changing for the better, though. Most popularantivirus products now include adware and spyware scanning. For example, the latest versions ofMcAfee VirusScan, Norton AntiVirus 2004, and Trend Micro PC-Cillin 2004 now scan for someadware and spyware."Further readingHoneycutt, Jerry (20 April 2004). "How to protect your computer from Spyware and Adware".Microsoft.com. Microsoft corporation. Retrieved 18 August 2010.Hardmeier, Sandi (16 December 2004). "Adware and Bad Things it Does". Internet Explorercommunity. Microsoft corporation. Retrieved 18 August 2010.External linksAdware and Spyware at the Open Directory ProjectAnti-Spyware Coalition[hide]v · d · eSoftware distributionMethodsAbandonware · Adware · Bundled · Beerware · Commercial · Donationware · Freelyredistributable software · Free software · Freeware · Nagware · Open source · Pre-installed ·Postcardware · Proprietary · Public domain · Scareware · SharewareRelated topicsProduct Activation · Shovelware · Software bloat Malware
37. From Wikipedia, the free encyclopediaBeast, a Windows-based backdoor Trojan horseMalware, short for malicious software, (sometimes referred to as pestware) isa software designed to harm or secretly access a computer system without theowners informed consent. The expression is a general term used by computerprofessionals to mean a variety of forms of hostile, intrusive, or annoyingsoftware or program code.Software is considered to be malware based on the perceived intent of thecreator rather than any particular features. Malware includes computer viruses,worms, trojan horses, spyware, dishonest adware, scareware, crimeware, mostrootkits, and other malicious and unwanted software or program. In law, malwareis sometimes known as a computer contaminant, for instance in the legal codesof several U.S. states, including California and West Virginia.Preliminary results from Symantec published in 2008 suggested that "the releaserate of malicious code and other unwanted programs may be exceeding that oflegitimate software applications." According to F-Secure, "As much malware[was] produced in 2007 as in the previous 20 years altogether." Malwaresmost common pathway from criminals to users is through the Internet: primarilyby e-mail and the World Wide Web.The prevalence of malware as a vehicle for organized Internet crime, along withthe general inability of traditional anti-malware protection platforms (products) toprotect against the continuous stream of unique and newly produced malware,has seen the adoption of a new mindset for businesses operating on the Internet:the acknowledgment that some sizable percentage of Internet customers willalways be infected for some reason or another, and that they need to continuedoing business with infected customers. The result is a greater emphasis onback-office systems designed to spot fraudulent activities associated withadvanced malware operating on customers computers.On March 29, 2010, Symantec Corporation named Shaoxing, China, as theworlds malware capital.Malware is not the same as defective software, that is, software that has alegitimate purpose but contains harmful bugs. Sometimes, malware is disguisedas genuine software, and may come from an official site. Therefore, somesecurity programs, such as McAfee may call malware "potentially unwantedprograms" or "PUP". Though a computer virus is malware that can reproduceitself, the term is often used erroneously to refer to the entire category.Contents [hide]1 Purposes2 Infectious malware: viruses and worms2.1 Capsule history of viruses and worms3 Concealment: Trojan horses, rootkits, and backdoors3.1 Trojan horses
38. 3.2 Rootkits3.3 Backdoors4 Malware for profit: spyware, botnets, keystroke loggers, and dialers5 Data-stealing malware5.1 Characteristics of data-stealing malware5.2 Examples of data-stealing malware5.3 Data-stealing malware incidents6 Controversy about assignment to spyware7 Vulnerability to malware7.1 Eliminating over-privileged code8 Anti-malware programs9 Academic research on malware: a brief overview10 Grayware11 Web and spam11.1 Wikis and blogs11.2 Targeted SMTP threats11.3 HTTP and FTP12 See also13 References14 External linksPurposesMany early infectious programs, including the first Internet Worm and a numberof MS-DOS viruses, were written as experiments or pranks. They were generallyintended to be harmless or merely annoying, rather than to cause seriousdamage to computer systems. In some cases, the perpetrator did not realize howmuch harm his or her creations would do. Young programmers learning aboutviruses and their techniques wrote them simply for practice, or to see how farthey could spread. As late as 1999, widespread viruses such as the Melissa virusand the David virus appear to have been written chiefly as pranks. The firstmobile phone virus, Cabir, appeared in 2004.Hostile intent related to vandalism can be found in programs designed to causeharm or data loss. Many DOS viruses, and the Windows ExploreZip worm, weredesigned to destroy files on a hard disk, or to corrupt the file system by writinginvalid data to them. Network-borne worms such as the 2001 Code Red worm orthe Ramen worm fall into the same category. Designed to vandalize web pages,worms may seem like the online equivalent to graffiti tagging, with the authorsalias or affinity group appearing everywhere the worm goes.Since the rise of widespread broadband Internet access, malicious software hasbeen designed for a profit, for examples forced advertising. For instance, since2003, the majority of widespread viruses and worms have been designed to takecontrol of users computers for black-market exploitation. Infected "zombiecomputers" are used to send email spam, to host contraband data such as childpornography , or to engage in distributed denial-of-service attacks as a formof extortion.Another strictly for-profit category of malware has emerged in spyware --
39. programs designed to monitor users web browsing, display unsolicitedadvertisements, or redirect affiliate marketing revenues to the spyware creator.Spyware programs do not spread like viruses; they are, in general, installed byexploiting security holes or are packaged with user-installed software, such aspeer-to-peer applications.Infectious malware: viruses and wormsMain articles: Computer virus and Computer wormThe best-known types of malware, viruses and worms, are known for the mannerin which they spread, rather than any other particular behavior. The termcomputer virus is used for a program that has infected some executable softwareand, when run, causes the virus to spread to other executables. Viruses mayalso contain a payload that performs other actions, often malicious. On the otherhand, a worm is a program that actively transmits itself over a network to infectother computers. It too may carry a payload.These definitions lead to the observation that a virus requires user intervention tospread, whereas a worm spreads itself automatically. Using this distinction,infections transmitted by email or Microsoft Word documents, which rely on therecipient opening a file or email to infect the system, would be classified asviruses rather than worms.Some writers in the trade and popular press misunderstand this distinction anduse the terms interchangeably.Capsule history of viruses and wormsBefore Internet access became widespread, viruses spread on personalcomputers by infecting the executable boot sectors of floppy disks. By inserting acopy of itself into the machine code instructions in these executables, a viruscauses itself to be run whenever a program is run or the disk is booted. Earlycomputer viruses were written for the Apple II and Macintosh, but they becamemore widespread with the dominance of the IBM PC and MS-DOS system.Executable-infecting viruses are dependent on users exchanging software orboot-able floppies, so they spread rapidly in computer hobbyist circles.The first worms, network-borne infectious programs, originated not on personalcomputers, but on multitasking Unix systems. The first well-known worm was theInternet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike avirus, this worm did not insert itself into other programs. Instead, it exploitedsecurity holes (vulnerabilities) in network server programs and started itselfrunning as a separate process. This same behaviour is used by todays wormsas well.With the rise of the Microsoft Windows platform in the 1990s, and the flexiblemacros of its applications, it became possible to write infectious code in themacro language of Microsoft Word and similar programs. These macro virusesinfect documents and templates rather than applications (executables), but relyon the fact that macros in a Word document are a form of executable code.Today, worms are most commonly written for the Windows OS, although a fewlike Mare-D and the Lion worm are also written for Linux and Unixsystems. Worms today work in the same basic way as 1988s Internet Worm:
40. they scan the network and leverage vulnerable computers to replicate. Becausethey need no human intervention, worms can spread with incredible speed. TheSQL Slammer infected thousands of computers in a few minutes.Concealment: Trojan horses, rootkits, and backdoorsMain articles: Trojan horse (computing), Rootkit, and Backdoor (computing)Trojan horsesFor a malicious program to accomplish its goals, it must be able to run withoutbeing shut down, or deleted by the user or administrator of the computer systemon which it is running. Concealment can also help get the malware installed inthe first place. When a malicious program is disguised as something innocuousor desirable, users may be tempted to install it without knowing what it does. Thisis the technique of the Trojan horse or trojan.In broad terms, a Trojan horse is any program that invites the user to run it,concealing a harmful or malicious payload. The payload may take effectimmediately and can lead to many undesirable effects, such as deleting theusers files or further installing malicious or undesirable software. Trojan horsesknown as droppers are used to start off a worm outbreak, by injecting the worminto users local networks.One of the most common ways that spyware is distributed is as a Trojan horse,bundled with a piece of desirable software that the user downloads from theInternet. When the user installs the software, the spyware is installed alongside.Spyware authors who attempt to act in a legal fashion may include an end-userlicense agreement that states the behavior of the spyware in loose terms, whichthe users are unlikely to read or understand.RootkitsOnce a malicious program is installed on a system, it is essential that it staysconcealed, to avoid detection and disinfection. The same is true when a humanattacker breaks into a computer directly. Techniques known as rootkits allow thisconcealment, by modifying the hosts operating system so that the malware ishidden from the user. Rootkits can prevent a malicious process from being visiblein the systems list of processes, or keep its files from being read. Originally, arootkit was a set of tools installed by a human attacker on a Unix system,allowing the attacker to gain administrator (root) access. Today, the term is usedmore generally for concealment routines in a malicious program.Some malicious programs contain routines to defend against removal, not merelyto hide themselves, but to repel attempts to remove them. An early example ofthis behavior is recorded in the Jargon File tale of a pair of programs infesting aXerox CP-V time sharing system:Each ghost-job would detect the fact that the other had been killed, and wouldstart a new copy of the recently slain program within a few milliseconds. The onlyway to kill both ghosts was to kill them simultaneously (very difficult) or todeliberately crash the system.Similar techniques are used by some modern malware, wherein the malwarestarts a number of processes that monitor and restore one another as needed. Inthe event a user running Microsoft Windows is infected with such malware, if they
41. wish to manually stop it, they could use Task Managers processes tab to findthe main process (the one that spawned the "resurrector process(es)"), and usethe end process tree function, which would kill not only the main process, butthe "resurrector(s)" as well, since they were started by the main process. Somemalware programs use other techniques, such as naming the infected file similarto a legitimate or trustworthy file (expl0rer.exe VS explorer.exe).BackdoorsA backdoor is a method of bypassing normal authentication procedures. Once asystem has been compromised (by one of the above methods, or in some otherway), one or more backdoors may be installed in order to allow easier access inthe future. Backdoors may also be installed prior to malicious software, to allowattackers entry.The idea has often been suggested that computer manufacturers preinstallbackdoors on their systems to provide technical support for customers, but thishas never been reliably verified. Crackers typically use backdoors to secureremote access to a computer, while attempting to remain hidden from casualinspection. To install backdoors crackers may use Trojan horses, worms, or othermethods.Malware for profit: spyware, botnets, keystroke loggers, and dialersMain articles: Spyware, Botnet, Keystroke logging, Web threats, and DialerDuring the 1980s and 1990s, it was usually taken for granted that maliciousprograms were created as a form of vandalism or prank. More recently, thegreater share of malware programs have been written with a profit motive(financial or otherwise) in mind. This can be taken as the malware authorschoice to monetize their control over infected systems: to turn that control into asource of revenue.Spyware programs are commercially produced for the purpose of gatheringinformation about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance,some spyware programs redirect search engine results to paid advertisements.Others, often called "stealware" by the media, overwrite affiliate marketing codesso that revenue is redirected to the spyware creator rather than the intendedrecipient.Spyware programs are sometimes installed as Trojan horses of one sort oranother. They differ in that their creators present themselves openly asbusinesses, for instance by selling advertising space on the pop-ups created bythe malware. Most such programs present the user with an end-user licenseagreement that purportedly protects the creator from prosecution under computercontaminant laws. However, spyware EULAs have not yet been upheld in court.Another way that financially motivated malware creators can profit from theirinfections is to directly use the infected computers to do work for the creator. Theinfected computers are used as proxies to send out spam messages. A computerleft in this state is often known as a zombie computer. The advantage tospammers of using infected computers is they provide anonymity, protecting thespammer from prosecution. Spammers have also used infected PCs to target
42. anti-spam organizations with distributed denial-of-service attacks.In order to coordinate the activity of many infected computers, attackers haveused coordinating systems known as botnets. In a botnet, the malware or malbotlogs in to an Internet Relay Chat channel or other chat system. The attacker canthen give instructions to all the infected systems simultaneously. Botnets canalso be used to push upgraded malware to the infected systems, keeping themresistant to antivirus software or other security measures.It is possible for a malware creator to profit by stealing sensitive information froma victim. Some malware programs install a key logger, which intercepts the userskeystrokes when entering a password, credit card number, or other informationthat may be exploited. This is then transmitted to the malware creatorautomatically, enabling credit card fraud and other theft. Similarly, malware maycopy the CD key or password for online games, allowing the creator to stealaccounts or virtual items.Another way of stealing money from the infected PC owner is to take control of adial-up modem and dial an expensive toll call. Dialer (or porn dialer) softwaredials up a premium-rate telephone number such as a U.S. "900 number" andleave the line open, charging the toll to the infected user.Data-stealing malwareData-stealing malware is a web threat that divests victims of personal andproprietary information with the intent of monetizing stolen data through directuse or underground distribution. Content security threats that fall under thisumbrella include keyloggers, screen scrapers, spyware, adware, backdoors, andbots. The term does not refer to activities such as spam, phishing, DNSpoisoning, SEO abuse, etc. However, when these threats result in file downloador direct installation, as most hybrid attacks do, files that act as agents to proxyinformation will fall into the data-stealing malware category.Characteristics of data-stealing malwareDoes not leave traces of the eventThe malware is typically stored in a cache that is routinely flushedThe malware may be installed via a drive-by-download processThe website hosting the malware as well as the malware is generally temporaryor rogueFrequently changes and extends its functionsIt is difficult for antivirus software to detect final payload attributes due to thecombination(s) of malware componentsThe malware uses multiple file encryption levelsThwarts Intrusion Detection Systems (IDS) after successful installationThere are no perceivable network anomaliesThe malware hides in web trafficThe malware is stealthier in terms of traffic and resource useThwarts disk encryptionData is stolen during decryption and displayThe malware can record keystrokes, passwords, and screenshotsThwarts Data Loss Prevention (DLP)
43. Leakage protection hinges on metadata tagging, not everything is taggedMiscreants can use encryption to port dataExamples of data-stealing malwareBancos, an info stealer that waits for the user to access banking websites thenspoofs pages of the bank website to steal sensitive information.Gator, spyware that covertly monitors web-surfing habits, uploads data to aserver for analysis then serves targeted pop-up ads.LegMir, spyware that steals personal information such as account names andpasswords related to online games.Qhost, a Trojan that modifies the Hosts file to point to a different DNS serverwhen banking sites are accessed then opens a spoofed login page to steal logincredentials for those financial institutions.Data-stealing malware incidentsAlbert Gonzalez (not to be confused with the U.S. Attorney General AlbertoGonzalez) is accused of masterminding a ring to use malware to steal and sellmore than 170 million credit card numbers in 2006 and 2007—the largestcomputer fraud in history. Among the firms targeted were BJs Wholesale Club,TJX, DSW Shoe, OfficeMax, Barnes & Noble, Boston Market, Sports Authorityand Forever 21.A Trojan horse program stole more than 1.6 million records belonging to severalhundred thousand people from Monster Worldwide Inc’s job search service. Thedata was used by cybercriminals to craft phishing emails targeted atMonster.com users to plant additional malware on users’ PCs.Customers of Hannaford Bros. Co, a supermarket chain based in Maine, werevictims of a data security breach involving the potential compromise of 4.2 milliondebit and credit cards. The company was hit by several class-action law suits.The Torpig Trojan has compromised and stolen login credentials fromapproximately 250,000 online bank accounts as well as a similar number of creditand debit cards. Other information such as email, and FTP accounts fromnumerous websites, have also been compromised and stolen.Controversy about assignment to spywareThere is a group of software (Alexa toolbar, Google toolbar, Eclipse data usagecollector, etc) that send data to a central server about which pages have beenvisited or which features of the software have been used. However differentlyfrom "classic" malware these tools document activities and only send data withthe users approval. The user may opt in to share the data in exchange to theadditional features and services, or (in case of Eclipse) as the form of voluntarysupport for the project. Some security tools report such loggers as malware whileothers do not. The status of the group is questionable. Some tools likePDFCreator are more on the boundary than others because opting out has beenmade more complex than it could be (during the installation, the user needs touncheck two check boxes rather than one). However also PDFCreator is onlysometimes mentioned as malware and is still subject of discussions.Vulnerability to malware
44. Main article: Vulnerability (computing)In this context, as throughout, it should be borne in mind that the “system” underattack may be of various types, e.g. a single computer and operating system, anetwork or an application.Various factors make a system more vulnerable to malware:Homogeneity: e.g. when all computers in a network run the same OS, uponexploiting one, one can exploit them all.Weight of numbers: simply because the vast majority of existing malware iswritten to attack Windows systems, then Windows systems, ipso facto, are morevulnerable to succumbing to malware (regardless of the security strengths orweaknesses of Windows itself).Defects: malware leveraging defects in the OS design.Unconfirmed code: code from a floppy disk, CD-ROM or USB device may beexecuted without the user’s agreement.Over-privileged users: some systems allow all users to modify their internalstructures.Over-privileged code: some systems allow code executed by a user to access allrights of that user.An oft-cited cause of vulnerability of networks is homogeneity or softwaremonoculture. For example, Microsoft Windows or Apple Mac have such alarge share of the market that concentrating on either could enable a cracker tosubvert a large number of systems, but any total monoculture is a problem.Instead, introducing inhomogeneity (diversity), purely for the sake of robustness,could increase short-term costs for training and maintenance. However, having afew diverse nodes would deter total shutdown of the network, and allow thosenodes to help with recovery of the infected nodes. Such separate, functionalredundancy would avoid the cost of a total shutdown, would avoid homogeneityas the problem of "all eggs in one basket".Most systems contain bugs, or loopholes, which may be exploited by malware. Atypical example is the buffer-overrun weakness, in which an interface designed tostore data, in a small area of memory, allows the caller to supply more data thanwill fit. This extra data then overwrites the interfaces own executable structure(past the end of the buffer and other data). In this manner, malware can force thesystem to execute malicious code, by replacing legitimate code with its ownpayload of instructions (or data values) copied into live memory, outside thebuffer area.Originally, PCs had to be booted from floppy disks, and until recently it wascommon for this to be the default boot device. This meant that a corrupt floppydisk could subvert the computer during booting, and the same applies to CDs.Although that is now less common, it is still possible to forget that one haschanged the default, and rare that a BIOS makes one confirm a boot fromremovable media.In some systems, non-administrator users are over-privileged by design, in thesense that they are allowed to modify internal structures of the system. In someenvironments, users are over-privileged because they have been inappropriately
45. granted administrator or equivalent status. This is primarily a configurationdecision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft toprioritize compatibility with older systems above security configuration in newersystems and because typical applications were developedwithout the under-privileged users in mind. As privilege escalation exploits haveincreased this priority is shifting for the release of Microsoft Windows Vista. As aresult, many existing applications that require excess privilege (over-privilegedcode) may have compatibility problems with Vista. However, Vistas UserAccount Control feature attempts to remedy applications not designed for under-privileged users, acting as a crutch to resolve the privileged access probleminherent in legacy applications.Malware, running as over-privileged code, can use this privilege to subvert thesystem. Almost all currently popular operating systems, and also many scriptingapplications allow code too many privileges, usually in the sense that when auser executes code, the system allows that code all rights of that user. Thismakes users vulnerable to malware in the form of e-mail attachments, which mayor may not be disguised.Given this state of affairs, users are warned only to open attachments they trust,and to be wary of code received from untrusted sources. It is also common foroperating systems to be designed so that device drivers need escalatedprivileges, while they are supplied by more and more hardware manufacturers.Eliminating over-privileged codeOver-privileged code dates from the time when most programs were eitherdelivered with a computer or written in-house, and repairing it would at a strokerender most antivirus software almost redundant. It would, however, haveappreciable consequences for the user interface and system management.The system would have to maintain privilege profiles, and know which to applyfor each user and program. In the case of newly installed software, anadministrator would need to set up default profiles for the new code.Eliminating vulnerability to rogue device drivers is probably harder than forarbitrary rogue executables. Two techniques, used in VMS, that can help arememory mapping only the registers of the device in question and a systeminterface associating the driver with interrupts from the device.Other approaches are:Various forms of virtualization, allowing the code unlimited access only to virtualresourcesVarious forms of sandbox or jailThe security functions of Java, in java.securitySuch approaches, however, if not fully integrated with the operating system,would reduplicate effort and not be universally applied, both of which would bedetrimental to security.Anti-malware programsMain article: Antivirus softwareAs malware attacks become more frequent, attention has begun to shift from
46. viruses and spyware protection, to malware protection, and programs have beendeveloped to specifically combat them.Anti-malware programs can combat malware in two ways:They can provide real time protection against the installation of malware softwareon a computer. This type of spyware protection works the same way as that ofantivirus protection in that the anti-malware software scans all incoming networkdata for malware software and blocks any threats it comes across.Anti-malware software programs can be used solely for detection and removal ofmalware software that has already been installed onto a computer. This type ofmalware protection is normally much easier to use and more popular.[citationneeded] This type of anti-malware software scans the contents of the Windowsregistry, operating system files, and installed programs on a computer and willprovide a list of any threats found, allowing the user to choose which files todelete or keep, or to compare this list to a list of known malware components,removing files that match.Real-time protection from malware works identically to real-time antivirusprotection: the software scans disk files at download time, and blocks the activityof components known to represent malware. In some cases, it may also interceptattempts to install start-up items or to modify browser settings. Because manymalware components are installed as a result of browser exploits or user error,using security software (some of which are anti-malware, though many are not)to "sandbox" browsers (essentially babysit the user and their browser) can alsobe effective in helping to restrict any damage done.Academic research on malware: a brief overviewThe notion of a self-reproducing computer program can be traced back to whenpresented lectures that encompassed the theory and organization of complicatedautomata. Neumann showed that in theory a program could reproduce itself.This constituted a plausibility result in computability theory. Fred Cohenexperimented with computer viruses and confirmed Neumanns postulate. Healso investigated other properties of malware (detectability, self-obfuscatingprograms that used rudimentary encryption that he called "evolutionary", and soon). His 1988 doctoral dissertation was on the subject of computer viruses.Cohens faculty advisor, Leonard Adleman (the A in RSA) presented a rigorousproof that, in the general case, algorithmically determining whether a virus is or isnot present is Turing undecidable. This problem must not be mistaken for thatof determining, within a broad class of programs, that a virus is not present; thisproblem differs in that it does not require the ability to recognize all viruses.Adlemans proof is perhaps the deepest result in malware computability theory todate and it relies on Cantors diagonal argument as well as the halting problem.Ironically, it was later shown by Young and Yung that Adlemans work incryptography is ideal in constructing a virus that is highly resistant to reverse-engineering by presenting the notion of a cryptovirus. A cryptovirus is a virusthat contains and uses a public key and randomly generated symmetric cipherinitialization vector (IV) and session key (SK). In the cryptoviral extortion attack,the virus hybrid encrypts plaintext data on the victims machine using the
47. randomly generated IV and SK. The IV+SK are then encrypted using the viruswriters public key. In theory the victim must negotiate with the virus writer to getthe IV+SK back in order to decrypt the ciphertext (assuming there are nobackups). Analysis of the virus reveals the public key, not the IV and SK neededfor decryption, or the private key needed to recover the IV and SK. This resultwas the first to show that computational complexity theory can be used to devisemalware that is robust against reverse-engineering.Another growing area of computer virus research is to mathematically model theinfection behavior of worms using models such as Lotka–Volterra equations,which has been applied in the study of biological virus. Various virus propagationscenarios have been studied by researchers such as propagation of computervirus, fighting virus with virus like predator codes, effectiveness ofpatching etc.GraywareGrayware (or Greynet) is a general term sometimes used as a classificationfor applications that behave in a manner that is annoying or undesirable, and yetless serious or troublesome than malware. Grayware encompasses spyware,adware, dialers, joke programs, remote access tools, and any other unwelcomefiles and programs apart from viruses that are designed to harm the performanceof computers on your network. The term has been in use since at least as earlyas September 2004.Grayware refers to applications or files that are not classified as viruses or trojanhorse programs, but can still negatively affect the performance of the computerson your network and introduce significant security risks to your organization.Often grayware performs a variety of undesired actions such as irritating userswith pop-up windows, tracking user habits and unnecessarily exposing computervulnerabilities to attack.Spyware is software that installs components on a computer for the purpose ofrecording Web surfing habits (primarily for marketing purposes). Spyware sendsthis information to its author or to other interested parties when the computer isonline. Spyware often downloads with items identified as free downloads anddoes not notify the user of its existence or ask for permission to install thecomponents. The information spyware components gather can include userkeystrokes, which means that private information such as login names,passwords, and credit card numbers are vulnerable to theft.Adware is software that displays advertising banners on Web browsers such asInternet Explorer and Mozilla Firefox. While not categorized as malware, manyusers consider adware invasive. Adware programs often create unwanted effectson a system, such as annoying popup ads and the general degradation in eithernetwork connection or system performance. Adware programs are typicallyinstalled as separate programs that are bundled with certain free software. Manyusers inadvertently agree to installing adware by accepting the End User LicenseAgreement (EULA) on the free software. Adware are also often installed intandem with spyware programs. Both programs feed off each othersfunctionalities: spyware programs profile users Internet behavior, while adware
49. White-collar crimeReferences^ http://www.intranetjournal.com/articles/200309/ij_09_12_03a.html^ "Defining Malware: FAQ". technet.microsoft.com. Retrieved 2009-09-10.^ National Conference of State Legislatures Virus/Contaminant/DestructiveTransmission Statutes by State^ "§18.2-152.4:1 Penalty for Computer Contamination" (PDF). Joint Commissionon Technology and Science. Retrieved 2010-09-17.^ "Symantec Internet Security Threat Report: Trends for July-December 2007(Executive Summary)" (PDF). Symantec Corp.. April 2008. p. 29. Retrieved2008-05-11.^ F-Secure Corporation (December 4, 2007). "F-Secure Reports Amount ofMalware Grew by 100% during 2007". Press release. Retrieved 2007-12-11.^ "F-Secure Quarterly Security Wrap-up for the first quarter of 2008". F-Secure.March 31, 2008. Retrieved 2008-04-25.^ "Continuing Business with Malware Infected Customers". Gunter Ollmann.October 2008.^ "Symantec names Shaoxing, China as worlds malware capital". Engadget.Retrieved 2010-04-15.^ "Malware Revolution: A Change in Target". March 2007.^ "Child Porn: Malwares Ultimate Evil". November 2009.^ PC World - Zombie PCs: Silent, Growing Threat.^ Nick Farrell (20 February 2006). "Linux worm targets PHP flaw". The Register.Retrieved 19 May 2010.^ John Leyden (March 28, 2001). "Highly destructive Linux worm mutating". TheRegister. Retrieved 19 May 2010.^ "Aggressive net bug makes history". BBC News. February 3, 2003. Retrieved19 May 2010.^ "Catb.org". Catb.org. Retrieved 2010-04-15.^ "Gonzalez, Albert — Indictment 080508". US Department of Justice PressOffice. pp. 01–18. Retrieved 2010-.^ Keizer, Gregg (2007) Monster.com data theft may be bigger^ Vijayan, Jaikumar (2008) Hannaford hit by class-action lawsuits in wake of databreach disclosure^ BBC News: Trojan virus steals banking info^ "LNCS 3786 - Key Factors Influencing Worm Infection", U. Kanlayasiri, 2006,web (PDF): SL40-PDF.^ John von Neumann, "Theory of Self-Reproducing Automata", Part 1:Transcripts of lectures given at the University of Illinois, December 1949, Editor:A. W. Burks, University of Illinois, USA, 1966.^ Fred Cohen, "Computer Viruses", PhD Thesis, University of SouthernCalifornia, ASP Press, 1988.^ L. M. Adleman, "An Abstract Theory of Computer Viruses", Advances inCryptology---Crypto 88, LNCS 403, pp. 354-374, 1988.^ A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and
50. Countermeasures," IEEE Symposium on Security & Privacy, pp. 129-141, 1996.^ H. Toyoizumi, A. Kara. Predators: Good Will Mobile Codes Combat againstComputer Viruses. Proc. of the 2002 New Security Paradigms Workshop, 2002^ Zakiya M. Tamimi, Javed I. Khan, Model-Based Analysis of Two FightingWorms, IEEE/IIU Proc. of ICCCE 06, Kuala Lumpur, Malaysia, May 2006, Vol-I,p. 157-163.^ "Other meanings". Archived from the original on June 30, 2007. Retrieved2007-01-20. The term "grayware" is also used to describe a kind of NativeAmerican pottery and has also been used by some working in computertechnology as slang for the human brain. "grayware definition". TechWeb.com.Retrieved 2007-01-02.^ "Greyware". What is greyware? - A word definition from the WebopediaComputer Dictionary. Retrieved 2006-06-05.^ Antony Savvas. "The network clampdown". Computer Weekly. Retrieved2007-01-20.^ "Fortinet WhitePaper Protecting networks against spyware, adware and otherforms of grayware" (PDF). Retrieved 2007-01-20.^ Zittrain, Jonathan (Mike Deehan, producer). (2008-04-17). Berkman BookRelease: The Future of the Internet — And How to Stop It. [video/audio].Cambridge, MA, USA: Berkman Center, The President and Fellows of HarvardCollege. Retrieved 2008-04-21.^ "Google searches webs dark side". BBC News. May 11, 2007. Retrieved2008-04-26.^ Sharon Khare. "Wikipedia Hijacked to Spread Malware". India: Tech2.com.Retrieved 2010-04-15.^ "Continuing attacks at Network Solutions? | Sucuri". Blog.sucuri.net.2010-05-07. Retrieved 2010-11-14.^ "Attacks against Wordpress". Sucuri Security. May 11, 2010. Retrieved2010-04-26.^ "Protecting Corporate Assets from E-mail Crimeware," Avinti, Inc., p.1[deadlink]^ F-Secure (March 31, 2008). "F-Secure Quarterly Security Wrap-up for the firstquarter of 2008". Press release. Retrieved 2008-03-31.External links Look up malware in Wiktionary, the free dictionary.Malware Wiki, an external wikiMalicious Software at the Open Directory ProjectMalicious Programs Hit New High -retrieved February 8, 2008Malware Block ListOpen Security Foundation Data Loss DatabaseInternet Crime Complaint CenterUS Department of Homeland Security Identity Theft Technology Council report"The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond"Video: Mark Russinovich - Advanced Malware CleaningMalCon, International Malware Conference (convention), focused specifically on
51. Malware development, research and containment.[hide]v · d · eMalwareInfectious malwareComputer virus · Macro virus · List of computer viruses · Computer worm · List ofcomputer worms · Timeline of notable computer viruses and wormsConcealmentTrojan horse · Rootkit · BackdoorMalware for profitPrivacy-invasive software · Spyware · Botnet · Keystroke logging · Web threats ·Fraudulent dialer · MalbotBy operating systemLinux malware · Palm OS viruses · Mobile virusProtectionAntivirus software · Defensive computing · Firewall · Intrusion detection system ·Data loss prevention softwareLaw enforcementComputer surveillance · Operation: Bot RoastCategories: Malware