Network Security Illustrated buy the book at Amazon now!


search site
Table of Contents

Book
Introduction

Managing
Security

Outsourcing
Options

Reserving
Rights

Determining
Identity

Preserving
Privacy

Connecting
Networks

Hardening
Networks

Storing
Information

Hiding
Information

Accessing
Information

Ensuring
Availability

Detecting
Intrusions

Page Tools
print this pagePrint this Page
email this pageEmail this Page
notify me when this section changesWatch for Updates
send us feedbackSend us Feedback
Viruses and
Trojans
Chapter List
File Integrity
Viruses and Trojans
Network Scanners
Network Sniffers
Logging and Analysis
Computer Forensics (web bonus)
More Information
Resources (links)
Discussions
FAQs
Errata
Sample Pages
Buy The Book
at amazon.com
Viruses and trojan programs are malicious applications intended to give third parties some form of control over remote computer systems.

Viruses are one of the most publicized aspects of the modern computing world. Reporters love to write articles about them and people love to ooh and ah over the concept. Even the least technologically savvy people on the planet seem to be puzzled and naturally curious about the fact that computers can get sick, too.

Of course, the rest of us know computers do not get sick; they simply inadvertently download small and pesky programs that have been written with malicious intent. These programs have historically been known as a trojan or a virus. Today, the differences between these types of malicious programs have blurred. Most scanning software on the market claims to address both problems with equal proficiency. The fact remains that viruses and trojans, although lumped together, perform different functions for the attackers who create them.

A virus is a small program that is designed to infect one or more of a computer’s files. As it spreads, it may cause a variety of serious or benign problems. Sometimes the goal is to annoy and sometimes the goal is to destroy. Sometimes a virus will delete files or even format an entire hard drive. In other cases, a virus may display messages across the screen merely to make itself known. In almost all cases however, a virus will render an operating system unstable, often due to its exploitative code.

To meet the definition of a virus, a program must meet two criteria:

  • It must execute itself. To accomplish this it will often place its own code in the path of execution of another program.
  • It must replicate itself. For example, it may replace other executable files with a copy of the virus-infected file. Viruses are capable of infecting any machine on a network, whether categorized as a workstation or a server. Once a system has been infected with a virus, the virus can execute its payload.
A malicious virus might have a payload program that deletes critical files from a hard drive. Some viruses are highly destructive, some are just annoyances or spread harmlessly, and most fall somewhere in between.

Viruses present themselves in a variety of ways with a variety of purposes. Computer history has revealed five officially recognized categories of viruses. They are as follows:

File Infector Viruses: File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. They can infect other files when an infected program is run from a floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any non-infected executable that runs becomes infected.

(Master) Boot Sector Viruses: Boot sector viruses infect the system area of a disk—that is, the boot record on floppy disks and hard disks. These viruses are always memory resident in nature. Boot sector viruses are seldom seen today because they were designed to exploit Disk Operating System (DOS) systems. Once the boot record of an infected disk is accessed, the virus remains in memory, and all floppy disks that are not write protected will become infected when the floppy disk is accessed.

Multi-partite Viruses: Multi-partite (or polypartite as they are sometimes called) viruses infect both boot records and program files. As a result, it is not easy to repair the damage caused by these viruses. If the boot area is cleaned, but the files are not, the boot area will become infected again.

Macro Viruses: These types of viruses infect data files. The damage done by these viruses has had the most direct impact on corporate Information Technology (IT) departments in recent years. The sidebar describes this pest in greater detail.

Trojans serve a different purpose. Their goal is not to spread, or even to annoy. A typical trojan application is cleverly disguised as another program, so as to not be detected. Because it cannot replicate itself, a trojan needs to be invited in to a system, much like the original gift from Troy. Once invited, it contains a hidden surprise that will give the enemy (malicious cyber criminals) a tremendous battle advantage, thus the assignment of the not-so-clever name.

A trojan is often extremely difficult or even impossible to detect. They are designed to leave little or no digital paper trail. When a user inadvertently executes a trojan program, it buries itself into the operating system, residing undetected for potentially infinite periods of time. It can delete log files that the operating system may create, thus destroying any record of its functions. The purpose of a trojan is often to give an external user total backdoor control of a system, without the user’s permission or knowledge. Scared yet? Don’t panic; keep reading to learn the best way to deal with these problematic devils.

A virus with a trojan as its payload creates a particularly dangerous combination. The virus can get into systems and replicate itself, leaving little trojans in its wake. Within a short while, a vast network of machines will be under the virus creator’s control. These machines are called zombies; a large collection of zombies under centralized command is called a zombie-net. These zombie-nets are often used to launch untraceable, massive distributed Internet assaults such as a Denial of Service attack.

For every crime a law has been written, and for every criminal a cop is out there looking to bag the bad guy. Computer viruses scanner (anti-virus) applications are analogous to police, as they have always focused on identifying, catching, and eliminating the latest viruses in circulation. Most recently they have also set their sights on trojan applications, despite the fact that these programs are extremely difficult to identify.

More Information

The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.

Below, you'll find links to online resources that supplement this portion of the book.


Resources

(websites, books, etc.)

Discussions

FAQs

Errata

Sample Pages