El documento habla sobre virus informáticos, sus tipos, características y formas de propagación. Explica virus de boot, archivos, macros, scripts, Java/ActiveX y gusanos. También cubre hoaxes, spam y estadísticas sobre virus. Finalmente, discute los puntos de entrada de virus y la importancia de usar antivirus actualizados para protegerse de las amenazas.
2. Materia: Informática Docente: Ing.Carlos J. Archondo O. Source: July, 2003 InformationWeek Global Information Security Survey of 2700 Security Professionals Solución: Antivirus 5.1 Preocupaciones de Seguridad 2001 2002 0 10 20 30 40 50 60 70 Computer viruses Unauthorized network entry Information loss Data/system integrity loss Denial of service Trojan horse Manipulation of software... Fraud Theft of data, trade secrets Trafficking in illegal mate... Manipulation of system ... Revenue loss None Unknown Other Virus: causa más daño que todos los otros problemas de seguridad
3.
4.
5. 5.4 Crecimiento Progresivo de Infecciones Materia: Informática Docente: Ing.Carlos J. Archondo O. Boot Viruses Macro Viruses Internet/E-mail Viruses More than Source: Trend Micro
6. 5.5 Como Llegan los Virus... Materia: Informática Docente: Ing.Carlos J. Archondo O. Source: ICSA 1999 Virus Survey
7. 5.6 Problemas de Infecciones Materia: Informática Docente: Ing.Carlos J. Archondo O. Source: ICSA 1999 Virus Survey
8. 5.7 Virus de Arranque Materia: Informática Docente: Ing.Carlos J. Archondo O. Diskette infectado Infecta el disco duro Infecta cada diskette B o o t R e c o r d V i r u s B o o t R e c o r d V i r u s
9.
10. 5.7.2 Efecto: falso cluster dañado Materia: Informática Docente: Ing.Carlos J. Archondo O.
11. 5.7.3 Efecto: reducción de memoria Materia: Informática Docente: Ing.Carlos J. Archondo O. 0 640 KB VIRUS Memoria Convencional Un virus residente en memoria hace que la memoria convencional se reduzca
12. 5.7.4 Efecto: fallas de escritura en disco Materia: Informática Docente: Ing.Carlos J. Archondo O.
13. 5.8 Virus DOS/Windows Materia: Informática Docente: Ing.Carlos J. Archondo O. HOST VIRUS VIRUS Jump to virus Orig. Header El virus se copia al final del archivo Entonces obtiene la información del valor de la cabecera original Luego la salva en la parte infectada por el virus Finalmente modifica la cabecera original, así puede saltar al cuerpo del virus cuando el nuevo archivo infectado es ejecutado
14.
15. Materia: Informática Docente: Ing.Carlos J. Archondo O. Virus Section 5.8.2 Virus de Archivos Ejecutables-WIN32 Host Program Attaches Virus Code Virus modifies Header and Table Header And Table INFECTED FILE
22. 5.9.2 Virus Macro de Excel Materia: Informática Docente: Ing.Carlos J. Archondo O. Cuando se abre un archivo infectado, éste crea un archivo nuevo en la carpeta icrosoft OfficefficeLStart Cada vez que se abre Excel, el virus está disponible para infectar los demás archivos que se utilicen XLStart Directory Startup Files EXCEL Sheet Excel Macros EXCEL Sheet Excel Macros
23. 5.9.2.1 Características Materia: Informática Docente: Ing.Carlos J. Archondo O. Más de una entrada Archivo normal Archivo infectado
24. 5.9.3 Ejemplos de Infecciones: Melissa Materia: Informática Docente: Ing.Carlos J. Archondo O.
27. 5.10 Virus de Script Materia: Informática Docente: Ing.Carlos J. Archondo O. Un mensaje o una página web tienen un script malicioso Estos códigos maliciosos utilizan las características de Scripting Host de los navegadores y clientes de correo electrónico Esto les permite distribuirse automáticamente a otros usuarios o páginas web
28. Materia: Informática Docente: Ing.Carlos J. Archondo O. 5.10.1 Características El código malicioso se aloja en la sección script del archivo HTML
29. Materia: Informática Docente: Ing.Carlos J. Archondo O. 5.10.2 Ejemplo de Script Este mail tiene un script debido a este ícono
30. 5.11 Virus de Java/Activex Materia: Informática Docente: Ing.Carlos J. Archondo O.
31.
32. 5.11.2 Configuración de Seguridad Windows Materia: Informática Docente: Ing.Carlos J. Archondo O. Configurar la seguridad de los navegadores a nivel máximo ofrece una buena protección contra este tipo de amenazas Tools->Internet Options -> Security Tab
33. 5.12 Gusanos Materia: Informática Docente: Ing.Carlos J. Archondo O. Un gusano es un programa que puede distribuirse automáticamente a otros sistemas WindowsXP Windows 2003 Server
36. 5.13 Hacking y Backdoors Materia: Informática Docente: Ing.Carlos J. Archondo O. Hacker Utiliza algunas características de las redes y sistemas para ejecutar funciones remotas sobre las PCs de la víctimas Puede abrir puertos para que el hacker logre tener acceso al sistema del usuarios afectado Internet
37. 5.13.1 Ejemplo de Hacking: NETBUS Materia: Informática Docente: Ing.Carlos J. Archondo O.
42. Materia: Informática Docente: Ing.Carlos J. Archondo O. From: Raquel Garrido H. To: [email_address] Subject: NO ENCIENDA SU PC MAÑANA Date: Mon, 1 Mar 2001 10:23:02 -0400 PASALO A TODOS TUS CONTACTOS POR QUE PUEDE SER FATAL Las empresas antivirus han detectado el virus más terrible de la historia, capaz de dañar el hardware de tu PC seriamente. Mañana 2 de marzo se activará de tal forma que si enciendes tu PC podría quemarse no sólo tu disco duro sino también tu monitor. Debes enviar cuanto antes posible este mensaje a todos tus contactos por el bien de todos. NO TE OLVIDES NO ENCIENDAS TU PC MAÑANA !!!!!!!!!!!! Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.401 / Virus Database: 226 - Release Date: 9/10/02 5.16.1 Ejemplo de Hoax
43.
44. Materia: Informática Docente: Ing.Carlos J. Archondo O. From: Esther Iberkleid To: naprexec3@hotmail.com Subject: se cierra hotmail... Date: Mon, 21 Oct 2002 16:31:45 -0400 PASALO A TODOS TUS CONTACTOS POR QUE AHORA SI ES DEFINITIVO Hotmail se Cierra. Si usas Hotmail manda este mensaje a todos los que sepas que lo usan, de lo contrario el dueño de Hotmail (Jon Henerd) borrará tu mail de aquí. Hotmail se esta sobrecargando y necesitamos librarnos de gente y queremos saber cuales son los actuales usuarios que estan usando sus cuentas de Hotmail. Así que si tu eres un usuario, por favor manda este e-mail a todos los que puedas, pero si no lo pasas a nadie se borrará tu cuenta de hotmail. Gracias por tu cooperación Mr. Jon Henerd Departamento de administración de Hotmail . Estimado usuario. Debido a la saturacion que hemos tenido devido a la aparicion del MSN y sus derivados, estamos sufriendo una saturacion en el sistema en la creacion de cuentas de email. Las consecuancias sufridas son: 1). No mas espacio de 1 MB de espacio en el disco duro. 2). No mas de 20 usuarios en tu libro de contactos. 3). Tendras que reenviar por lo menos una copia de este email al menos a 10 personas para que el sistema pueda comprobar tu existencia y tu participacion en este. Microsoft Internet Services a puesto un pequeño dispositivo al mensage que al reenviarlo quedaras en la lista de usuarios activos de hotmail. Si no haces los requisitos pedidos en menos de 7 dias tu cuenta sera Clausurada y eliminada definitivamente del systema. Disculpas por las molestias. .. Atenamente: Hotmail Staff' b.. Edwar John - President Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.401 / Virus Database: 226 - Release Date: 9/10/02 5.17.1 Ejemplo de Spam
45.
46.
47.
48. 5.21 Puntos de Entrada de Virus Materia: Informática Docente: Ing.Carlos J. Archondo O. Client 1. Intercambio de diskettes. 3. Mensajes de correo electrónico. 2. Conexiones a servidores LAN. 4. Descargas de archivos. Firewall Internet File Server Mail Server
49.
Editor's Notes
Viruses can be subdivided into six general classifications -- namely: boot viruses, file viruses, macro viruses, windows viruses, Script Viruses, and Java viruses cross-platform viruses.
There are so many types of Malware, but the most popular are Trojans, Worms, Jokes, Hacking tools and Virus Droppers
Por otro lado también vemos que la cantidad de virus se ha incrementado notablemente estos últimos años, y sobre todo aquellos virus macro que funcionan con las aplicaciones MS Office. Si analizamos la cantidad de virus existentes a lo largo de estos años, vamos a ver que desde que Internet se popularizó, los números han crecido abruptamente.
In the past 5 years, statistics show that virus medium have shifted from diskettes to E-mail and downloaded files.
Virus infections can be very expensive. Data and valuable time may be lost and sometimes even somebody’s job.
After enumerating the different types of Viruses and other Malware, let go into the details of each type. First on the list are Boot viruses. Boot sector viruses are those that infect the boot sector (or master boot record) on a computer system. They operate by overwriting or moving the original boot code and replacing it with infected boot code.
A clean computer system may be infected by a boot sector virus from an infected diskette or from a boot virus dropper program. A boot virus would usually infect the boot sector of floppy disks and the Master Boot Record (MBR) of hard disks. Note that infected non-bootable diskettes can still infect a computer system if used for booting up a computer.
The following are some of the symptoms recognizable if a computer system is infected with a boot virus. First, boot viruses usually reside in memory and they would often eat some of the available conventional memory. If the available conventional memory is a few kilobytes short of 640KB, then there is a likely chance that the system is infected with a boot virus. Second, since boot viruses will usually attempt to infect inserted diskettes in the computer system, occasional write-protect errors occur even when only reading floppy disks. Third, because a boot sector or MBR is limited to 512 bytes, boot viruses will sometimes hide part of themselves and maybe including the original boot sector unto other locations of the disk. These portions may sometimes be protected by marking them as bad sectors. Also, on other times, parts of the boot virus will be placed on infrequently used portions of the disk. When these portions are used or when the boot virus is not able to properly install itself, boot errors intermittently occur.
The following are some of the symptoms recognizable if a computer system is infected with a boot virus. First, boot viruses usually reside in memory and they would often eat some of the available conventional memory. If the available conventional memory is a few kilobytes short of 640KB, then there is a likely chance that the system is infected with a boot virus. Second, since boot viruses will usually attempt to infect inserted diskettes in the computer system, occasional write-protect errors occur even when only reading floppy disks. Third, because a boot sector or MBR is limited to 512 bytes, boot viruses will sometimes hide part of themselves and maybe including the original boot sector unto other locations of the disk. These portions may sometimes be protected by marking them as bad sectors. Also, on other times, parts of the boot virus will be placed on infrequently used portions of the disk. When these portions are used or when the boot virus is not able to properly install itself, boot errors intermittently occur.
The following are some of the symptoms recognizable if a computer system is infected with a boot virus. First, boot viruses usually reside in memory and they would often eat some of the available conventional memory. If the available conventional memory is a few kilobytes short of 640KB, then there is a likely chance that the system is infected with a boot virus. Second, since boot viruses will usually attempt to infect inserted diskettes in the computer system, occasional write-protect errors occur even when only reading floppy disks. Third, because a boot sector or MBR is limited to 512 bytes, boot viruses will sometimes hide part of themselves and maybe including the original boot sector unto other locations of the disk. These portions may sometimes be protected by marking them as bad sectors. Also, on other times, parts of the boot virus will be placed on infrequently used portions of the disk. When these portions are used or when the boot virus is not able to properly install itself, boot errors intermittently occur.
A Virus is a program which reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected program is executed. What basically happens is that the virus attaches a copy of itself usually at the bottom of the host program. Then the virus will save a copy of the original header and store it inside the virus body. This will now enable the virus to modify the header so that it could take control when the host is executed. This is usually a jump to the virus body when the program starts. After the virus executes, it passes control to the original host program and it does this by restoring the original header and returning control to the host program.
DOS file viruses may be attained from downloaded files or files from other users. If an infected file is executed in a computer system, it is allowed to infect other programs. DOS file viruses usually infect executable programs having the file extensions of .com and .exe.
In windows viruses, The virus usually modifies Header Information and then attaches itself as a new section of the Windows executable
Bubbleboy is the first virus that is able to propagate itself via e-mail, without having to open an attachment. It achieves this by exploiting security holes that exist in the treatment of ActiveX controls.
As with other viruses, there are some symptoms that are visible when a macro virus is inside a computer system. First, infected files increase in size. This may not be obvious because it is normal for documents to increase in size, especially if we are editing or updating them. Furthermore, the application will sometimes asks the user to save a document even when it was not modified. Note also that only templates could contain macro codes. Therefore, in a system infected by a macro virus, the file format when saving is Template instead of Document. If this happens and you have not placed any macro codes or your company is not using any macro codes in your documents, then your document are suspect to being infected with macro viruses.
Again, with MS Word97 documents, the same techniques apply. And if you are familiar with your standard documents, you should be able to determine if there is a new module in any of your documents. If an unusual module exists on your documents, it is possible that they are infected by a macro virus. Further inspection inside the module would indicate whether the document is indeed suspicious (I.e. it overrides AutoOpen, AutoNew, and/or AutoClose).
DFVIEW.EXE may be used for any MS office files, including MS Word documents, MS Excel spreadsheets, and MS Powerpoint presentations to check for possible macro virus infections. In using DFVIEW.EXE with a normal MS Word95 document, notice that there are no macro codes or the macro codes are that of user macros. On the other hand, using DFVIEW.EXE with an infected document shows that the macro codes are malicious and possibly destructive. Most macro viruses will override AutoOpen, AutoNew, and AutoClose.
To control the possible spread of macro viruses in your system, the macro virus protection should be enabled. This is available through the Tools menu, under options in the General settings of MS Office 95/97. For MS Office 2000, this is set by selecting medium or high security level through the Tools menu, under Macro in the Security settings. While macro virus protection is enabled or set to medium security, MS Office will prompt the user when macro codes are existing in a document, spreadsheet, or presentation. Choose disable execution of macros if you are not sure or if you are not aware of any macro codes in your documents. When high security is selected, macro codes are automatically disabled. Additionally, macro codes may be viewed by pressing Alt-F11 or choosing to view the macro in the Visual Basic Editor under the Tools|Macro menu item. If an unexpected macro is found, the suspect document may be infected with a macro virus.
For MS Excel macro viruses, when an infected Excel sheet is opened, it will usually create an Excel file containing the macro codes in the startup (XLSTART) directory. From there, the virus could then reproduce copies of itself unto other sheets accessed by MS Excel.
The same checking for MS Word95 applies for MS Excel95 in checking for possible macro virus infections using DFVIEW.EXE. Notice that infected files will usually contain several entries under the _VBA_PROJECT. If these modules will be checked, as with MS Word95 macro viruses, we would usually find either an AutoOpen, AutoNew, and/or AutoClose macro.
The most expensive virus cleanup of 1999 is the Melissa Virus. It has totalled to $80 million as a cleanup.
One of the more popular Windows virus is the CIH virus. Its actually the number one virus in terms of number of users infected.
Some email messages or web pages could contain malicious scripts. These malicious scripts would utilize the automatic scripting capabilities of some Web and Mail browsers. This enables them to replicate to other mail recipients or web page users.
Script Viruses may be embedded inside Mail Messages or Web Pages. Let ’ s first take the case for Scripts in Web Pages. To check if the web page contains any malicious codes, we could view its source and analyze it. All web pages will have their corresponding source code. An engineer should be able to discern whether the codes are malicious or not. To help in determining whether the script codes are malicious or not, familiarity with VBScript and JavaScript would be needed. If you are unsure, you could submit the sample to a virus doctor for verification.
Upon clicking the “Don’t touch this!” button t his hostile Java applet clogs your CPU to waste system resources by opening an infinite number of Windows just like in the screenshot. The only way to terminate it is by terminating the browser.
There are two types of Java Viruses. 99% of the Java Viruses found are Java Applets and are oftentimes merely annoying and not exactly destructive. The remaining Java Viruses are full Java Applications which are capable of doing virtually anything other executable programs can do. These viruses will infect *.class files.
To prevent JAVA viruses from inadvertently executing on your system, you could select a high security setting in the Internet Options of your web browser. These way, you will only be able to run JAVA code from trusted sites.
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. The difference between Trojans and Worms is that Trojans rely on users for their propagation while Worms take it on their own hands to spread copies of themselves. The difference between a worm and a virus is that a worm replicates itself in its entirety -- creating exact copies of itself without the need of a carrier program which a virus uses.
Another Malware that was wide spread last year was the Explorezip worm. It is fast spreading and is capable of truncating files to a size of 0 bytes.
A auto-spamming worm. First found in June 9th, 1999 When executed, it would access Microsoft Outlook, Outlook Express or Exchange , automatically replies and sends itself out to any incoming email message. The body of the email message may also contain the following text: Hi [Recipient Name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye
Net Hack tools are malicious codes that have the purpose of controlling computers remotely and to exploit some backdoors in some systems. This will usually allow a remote hacker to take control of virtually everything in the computer system. If there are any sensitive information in the system, they could easily be seen by the remote hacker and do with them whatever he wishes.
Once a remote user takes control of a system, virtually everything could be manipulated: including, but not limited to, the file system, the video system, the registry, other applications, the CDROM drive, passwords, and other possibly sensitive data. An example is the Netbus hacking tool which can do everything that is in the screen shot above.
Net Hack tools are malicious codes that have the purpose of controlling computers remotely and to exploit some backdoors in some systems. This will usually allow a remote hacker to take control of virtually everything in the computer system. If there are any sensitive information in the system, they could easily be seen by the remote hacker and do with them whatever he wishes.
One particular example is the JOKE_PUZZLE program which rearranges the screen and the user should solve the puzzle before he is allowed to continue his work. An inexperienced user who cannot solve the puzzle may reboot his computer and therefore lose any unsaved data.
[Leer la información utilizando sentencias más claras] La ecuación parece cerrar, cierto? Sin embargo vemos que no es tan sencillo como parece. Veamos algunos otros números...
El problema solía ser un problema básicamente de virus y algunos troyanos peligrosos. Pero luego se popularizaron los gusanos, que logran distribuirse a gran velocidad por todo el mundo. Y aparecieron muchos programas agentes, tipo BackOrifice y NetBus. Y ahora también tenemos reportes de nuevas amenazas como scripts de VB y códigos de Java y ActiveX. Y los hoax y el spam (mensajes de correo electrónico no deseados) también forman parte del entorno de los virus. [Explicar brevemente qué es un hoax] Para destacar en esta diapositiva podemos mencionar dos cosas. Una es que no podemos negar una eterna evolución de los virus para adaptarse a las nuevas tecnologías y tendencias. Y la otra es negar que el problema no este ya más relacionada con el “contenido”. De hecho vemos que ahora el problema no está más en el archivo adjunto independiente que me enviaban con un mensaje de texto. Ahora el problema puede estar con el script o rutina maliciosa que me envían en un mensaje haciendo publicidad que yo nunca solicité. Entonces el problema no es sólo un problema de virus, es también un problema de “contenido”.
Ahora, uds se podrían preguntar que es entonces el contenido realmente. Buena pregunta. Intentemos responderla. [Leer cuidadosamente las sentencias dando idea de que todo se fue complicando con el correr del tiempo]
Virus usually spread in four ways : 1.) When a user save an infected file in a diskette and then access it in another computer therefore infecting the computer with the virus. 2.) File sharing in a LAN environment. 3.) When a user execute an email attachment that contains virus. 4.) When downloading files from a website that contains malicious java applet or active x controls.