Professional Documents
Culture Documents
In fo
rm
at io
Viruses in Vista
n
Page 1
nl
Viruses in Vista
Table of Contents
Acknowledgement Abstract 1. Introduction 1.1. 1.2. 4
2.1.
Types of Virus
O n
2. Background on Malware
2.1.3. Parasitic viruses / Infectors file 2.1.4. Encrypted viruses 2.1.5. Date Virus
at io
2.2.1. Worms
rm
In fo
3.1.1. Mass in E-mailers Vulnerabilities software which are exploited Process of Phishing Process of Pharming
4. Anti Virus 4.1. 4.2. 4.3. 4.4. 4.5. Pattern matching Signature detection Emulation Analysis of frequency X raying Heiristics
U0925517
nl
7 7 9 10 11 11 11 11 11 12 12 13 13 13 13 14 14 14 14 15 15 17 17 17 17 18 18
Page 2
y
5 6
Viruses in Vista
5. About Recent malware 5.1. 5.2. 5.3. 5.4. SpamThru Trojan Trojan Beast Win32. Glieder. AF Winevar
19
7. Some new malware attack exploited Windows 8. Computer worm 8. 1. Examples Worms 8. 1. 1. Email worms
at io
rm
9. 2. Prorat 1. 9
How it infects the PC? How to use Prorat 1. 9? How to remove Backdoor. prorat?
In fo
U0925517
nl
20 21 22 23 24 24 24 25 25 26 26 26 27 44 45 46 46 49 66 68 69 70 71 74 76 81
Page 3
y
20
19
In fo
rm
U 951 0257
at io
Page 4
nl
Viruses in Vista
ABSTRACT
Backdoor. Prorat which are affected to the systems. This Paper presents an overview of the Vista features and Security features which will have
penetrate the system without granting the permission from the system user.
Trojan horses, root kits, worms etc. This guide is designed for all users and for organizations of any size. Here we will provide some Security Guidelines and the Threats caused by malware softwares and Countermeasures. In
this paper I also mentioned a critical evaluation on the well known Trojan horses like Trojan. Gozi, Backdoor. Prorat.
In fo
rm
U0925517
at io
nl
Page 5
Viruses in Vista
1. Introduction:
features such as graphical previews of the documents during the use of AltTab switching, aero user interface and the Windows Presentation Foundation. It will be very hard to find an obvious and scientific link between
these productivity, features and improvements in security. Within these five to six years of the development in between XP and Vista OS, Microsoft tried hard on major improvements which are really matters to the businesses. [Microsoft, 2006]
Whatever may the environment would, you are advised to take the security issues seriously? In the world many of the organizations underestimate the importance of the information technology. If any attack on
In fo
rm
main servers in the environment is severe, it could be considerably damage the whole organization progress. For instance, if the malware infects the client computers on the whole network, then the organization may lose most valuable data, and the significant overhead which costs you to restore the secure state. For example, In case your Website is unavailable it also could consequence in major loss of the revenue as well as the clients confidence. Considering a security risk, vulnerability and experience of
examination informs you the tradeoffs between the functionality and security that all the computer systems are subject in the networking environment. Here in this document we consider the main security-related measures which are obtainable in Windows Vista operating system, the vulnerabilities and the countermeasures help the address, and potential negative consequences [if any] connected to the implementing of the each and every countermeasure. Microsoft Vista tried to include major improvements in the four areas which are important to business such as the manageability, security, networking, and mobile computers [Preston Gralla, 2006]
U0925517 Page 6
at io
nl
Windows Vista entered into market in the year 2006 and could see
Viruses in Vista
Windows, and the addition of the Defender antispyware product. But mainly two security features Bit Locker Drive Encryption, UAC [User Account Control] of Vista stand out.
With the User Account Control feature we can reduce the harm a user may unintentionally do to his system. For example reduce the impact of malicious software or malware by making it easier to make use of Windows without administrator privileges.
Bit Locker Drive Encryption, which is useful for laptop computers, allows the laptop users to encrypt the total Windows volume of the computer so that important data stay secured even the computer is stolen or missed [Bill Detwiler, 2007].
In fo
rm
systems; this is the case where people who use the other operating systems [OS] believe they were not at risk. Though, this is not the case. Malicious programs are also targeting the other operating systems since 1970s; Apple was first under attack in 1982 by Elk Cloner virus, and it wasnt until in 1986 MS-DOS compatible malware had appeared. [John Timmer 2007].
Malicious programs are exists mainly in two forms, among them some are with host (Trojan horses, viruses, trap doors, logic bombs) and some are without host (bacteria, worms). [Chris Imafidon, 2006] As Microsoft Windows gaining a significant market share had created ideal conditions for malware to increase. Though non-Windows operating systems seem security dreamland, users of the other operating systems have to be ready for cybercriminals and malware authors to start targeting them. Viruses attack Vista mainly by updates of Windows.
U0925517
at io
nl
Page 7
Viruses in Vista
The well-known
researcher Frank Boldewin, said The Trojan horses which were spammed in 2007 March end were used a new methods to download Malware in to the computers.
Here it is strongly suggested to install an anti virus scanner. May be not all antivirus scanners will be recognized by Windows Vista, even if these virus scanners are completely fine and properly functional. If your anti-virus
In fo
rm
scanner is installed properly then it will be recognized by windows Vista and automatically Malware Protection line will turn green. Most of the anti-virus programs are required to reboot after installation [Malwarekilla, June 2010].
U0925517
at io
nl
Page 8
Symantec Anti Virus vendors warn that the Windows systems are vulnerable
Viruses in Vista
2. Background on Malware:
The term Malware is the short form of the malicious software.
Trojan horses, Spyware, root kits, worms etc all together comes under
malicious softwares. This malicious softwares infects the systems and then travel via networks to infect all the remaining systems.
increase the attacking until infection is spreading all the systems around the remote places. [T. M. Chen, 2003]. Malware attacks are not recent things; they are available since a long time. At the starting stages, malwares are created for disruption.
at io
starting days attempts to remove files erase hard drives. Now a days these are designed to steal the secret data like passwords PIN [Personnel Identification Numbers], numbers of Credit cards and social security numbers provide for a kind of money profits for the malware writers. Now a days the
In fo
rm
malware creators changed the way of creation of malicious code. Malwares are considered as dangerous in todays world because of the damage they were creating are effecting important data of the companies and confidential data of the government. Malicious software holds a virus, root kit, recorder password. Now a days programmers writing these programs by using the available software in the internet. [T. M. Chen, 2003].
nl
Internet helps to Viruses in
Viruses in Vista
2. 1. Types of Viruses:
Computer worms or viruses are the programs which were intended to disturb the removal of the data, corrupting the data and to infect the viruses
all over the internet. In 1988 the 1st Internet worm was created. The 1st But later the
systems which were infected by the worm are running slowly compared to
infects the remaining programs by changing their code and cause damage.
In 1990, it was estimated that 500 virus are available on the internet. Where as in the year 1996, there are more than10000 viruses on internet. In the year, 2002 it is increased to more than 60,000 viruses on internet, in those some of the viruses are most dangerous [J. Munro, 2002]. At present
In fo
rm
there are more than 103,000 viruses on internet [DaBoss, 2009]. More over the Viruses has the capability to infect other programming code. Then if the user of the system tries to use the virus program then it will immediately infects whole system and it will take control of the system and destroys the system very badly. A system virus is a type of program code which can able to change the program or try to affect the program. [Dr. Chris Imafidon, 2006].
But these type of virus are easy to detect and are very flexible to
remove from the system. But now a days present worms and viruses are became more dangerous than that of the previous viruses and worms. Here are some types of viruses. They were as follows [C. Nachenberg, 1997].
U0925517
at io
nl
Page 10
Viruses in Vista
dangerous when compared to the other types of viruses. When it penetrates in the system the boot virus stays in the memory of the hard disk and it can infect any layer of the system. These boot viruses are very dangerous and they were not easy to erase from the system. But only perfect antivirus software can delete this type of virus. Boot Crazy and AntiEXE etc are the
2. 1. 2. Macro viruses: The macro virus will infects the services such as
Microsoft excel and Microsoft word. The 1st macro virus was created for Microsoft Word 95 [Crispin Cowan CTO, WireX Communications, and Inc. top].
In fo
rm
2. 1. 4.
decryption engine as well as encryption key [D. J. Sanok, 2005]. These viruses are created to hide the virus scanning methods. This method is used in Cascade virus.
2. 1. 5. Date virus: These data viruses will stay in the system and affects
the system at a particular time or date [C. Nachenberg, 1996]. A virus or worm can gain momentum on the system by using this method. Century, Sunday etc are the examples of this type of viruses.
U0925517
at io
nl
Page 11
internet. [J. O. Kephart, 1997]. This type of viruses infects the Master boot
Viruses in Vista
2. 1. 6. Stealth virus: These stealth viruses will exist in the hook ING
the DOS command prompt mode. A worm named Lion installs in a rootkit
and then it will make more than a few hooks to avoid from the antivirus scanner [Akshaya Bhatia, 2008].
In fo
rm
U0925517
at io
nl
This virus also
Page 12
system. This virus tries to suspend systems calls which will be detected in
Viruses in Vista
will not infect the files on the system like viruses. These worms utilize the
heavy damage.
software and enters into the system. There are different types of Trojans present in the internet but the functionality of each Trojan would be different. Trojan virus will look as genuine software for the user but it will create a dangerous treat to the system. [Joseph Lo aka Jolo, 2006]. The Trojan virus uses the existing viruses in the system and it will create more damage by
In fo
rm
using the existing viruses. Trojans are mainly do two things one of them is it causes direct damage or cause useful function but copies damageable instructions to other exe files. [Chris Imafidon, 2006]
2. 2. 3. Root kit: The main aim of the Root kit virus is to offer more
controls to the hackers [P. Szor, 2005]. Now a days most of the hackers they were using root kit method to enter into the system by avoiding the antivirus scanner. The most dangerous root kit on internet is Sony root kit. This root kit uses the string $ sys $.
U0925517
at io
2006]
networking connection to enter into the network and after that they will create
nl
Page 13
Viruses in Vista
3. Methods of Attacks:
A malware uses many methods to attack the system. Important methods of
utilizing messenger or from a E-mail and with this method the hackers can
bluff the user and made him to do some unwanted actions. [Hacker Tactics, 2001]. This virus transfers through a email in the form of image or a file which can be executed. In many situations, viruses reach destination
through mails from attackers under a picture or an. EXE file, after clicking on it, it installs Trojan in to the system. Another worm Happy99 happened to
it displays fireworks and then .EXE file installs in to PC [Cert incident, 2002].
In fo
rm
of the system. Later it finds the user address book and automatically delivers it to all in the list. Generally all mailers of mass use socialized techniques of engineering and some tricky concepts which tend user to open the file. Familiar types are Love Letter & Explore Zip. Almost 90% of viruses in 2002 are this type. [T. M. Chen, 2003].
at io
of vulnerability which
computer through mail, which holds the file Happy99. Exe. When clicking on
n
is
O
particular
nl
attacks are:
Viruses in Vista
Classification of exploits is done based on vulnerability they cause. Some achievements are 1. Overflow by Buffer 2. Overflow by Heap 3. Overflow by Integer 4. Injecting Code 5. Injection by SQL 6. Scripting from Cross Site. This is difficult to eliminate vulnerabilities of software because that was tough to give whatever goes incorrect with small code piece. Developers can be made familiar of coding in a style which may be difficult there by achievements are normalized. The whole process is familiar as safe coding.
In fo
rm
at io
nl
Viruses in Vista
to be finally in a single kernel file which is bug free. It is very impossible to write code without bugs. [R. Basili and Barry T. Perricone, 1984]. The infected problem is much complex as all the hackers are dependent on errors
from above that preventing infection is almost impossible because providing apt error caused by user is also much complex.
In fo
rm
U0925517
at io
Page 16
nl
Viruses in Vista
4. Anti Virus
1980s virus in computer has appeared by the presence of anti-virus.
else constantly if there are any malicious bodies found. Day by day the software of antivirus grew up along with the malicious entities such as viruses. The methods utilized by the software of antivirus are given below:
signatures points to protecting a system against malicious entities such as flies which consist code for detecting the viruses. Initially these programs
Then after developers came to know that major infections from the malicious bodies like viruses are with code placing at the entry level of the program. Since the program for scanner always begin the check from the entry level point of related data or program. This process becomes stagnant whenever the polymorphic or encrypted type of viruses evolves [Daniel Newman, Kristina M. Manalo, Ed Tittel Jun 18, 2004].
In fo
rm
running in the environment which is emulated. This provides space for the antivirus program for monitoring the activities of virus body in an environment which is enclosed thereby preventing damage caused to the users PC.
programming that utilization of DOS abrupt as the 21h exists in its code itself. This abruption is truly seen through malware.
U0925517
at io
see through the executable files and locate the existence of code for virus.
nl
Page 17
This software generally scans and monitors the computer at particular times
Viruses in Vista
4. 5.
of the file execution. Finally they were following new techniques or methods to infect the viruses all over the internet. This virus tries to change their way of techniques to avoid from the scanning of the antivirus software. If it is performed to the file access and page errors [Daniel Newman, 2004].
In fo
rm
U0925517
at io
implementing new types of methods and they dont execute virus at the time
nl
Page 18
Viruses in Vista
softwares. Because of this system the new malicious programs are having the capacity to disable the antivirus software and other types of security how good the antivirus softwares are working.
In fo
rm
computer by using the social networking sites or by means of patched files, These types of Trojans tries to disable the security measures of the system and by blocking the antivirus softwares. After wards these Trojans spams will creates another copy of the Kaspersky Anti-Virus softwares in the systems. These viruses create a duplicate file in the hard disk of the system. Viruses once infected will change all types of settings like they will stop the notification of the antivirus when the license of the antivirus is expired. These type of Trojans after infecting the antivirus software tries to find the other types of malicious softwares and clear them so that there will be no
existence of other virus other than this. These type of Trojans will also tries to hack the ip addresses of the systems which were infected. Most of These Trojans had the capacity to avoid from the scanner of antivirus system.
U0925517
at io
n
Page 19
softwares. The rising of this type of malicious softwares will able to show us
nl
Viruses in Vista
requirement of the ip address of the user but it will directly connect to the
server. Explorer. Exe was the file which is infected by these Trojans. This
virus penetrates the DLL file in winlogon. Exe, it was considered as method
infected then the antivirus will restrict the antivirus and as well as the
rm
type of zip attachment. [Win32. Glieder. AF, 2005]. These types of files when executed they will create a new file of the same file and it will exist in Nwinshost. exe% System%. winshost. exe. It will This will then create a add-on known as create a boot type of registry like:
In fo
After completing this process it will try to stop the security concern softwares
U0925517
at io
windows vista firewall and it will automatically consist the control of the
in Windows 2000, vista. We can see the gaps of the current system security
nl
Page 20
Viruses in Vista
5. 4. Winevar: This is file with the size of 90 kb. If these files are
executed then they will by a fine name as WINxxxx. The winevar also create a directory like as follows.
These worms will try to scan the systems hard disk content and after completion of the scanning of the system they will try to locate the file by the
same name and immediately they will remove the all the files which were available on the particular folder. In these there are viruses like Fizzer, Bugbear, Klez, which will tries to stop the antivirus software present in the
Actually the antivirus is created to scan the viruses on the system and they will remove the virus and if they found the new virus on internet they will update the new antivirus version so that the new virus will be removed from the system. But if this type of viruses tries to remove the antivirus software then there is no question of protection for the system from viruses. So, the antivirus software companies had to make the softwares which can be protected from these types of viruses. But most of the time virus
In fo
rm
programmers also face some problems for hiding their viruses from the antivirus softwares, so they are using different methods or techniques to solve this problem. All the time these antivirus softwares are facing so many problems to detect and to remove the viruses in PC. Now a days all antivirus software companies updating the softwares with patches as soon as possible to protect the system as well as to protect the name of their companies name in the present market. Sometimes many of the virus
programmers do not want to reveal the details like type of the virus. But presently there is no software present in the market which will give 100 percentage assurance of their antivirus software. It is not possible to detect and delete the virus as soon as possible when it is created. [T. M. Chen, 2003]
U0925517
at io
system.
nl
Chen, 2003].
Page 21
Viruses in Vista
command with Monad as in name of that which has got the rid from the
viruses that have been invented in the upgraded versions of the Win OS. This was published in the material by the hacking group that belong to the underground with named as in Ready Ranger Liberation Front from the
interface that took the lead over the security concerns over others. GUI uses the mouse over concept of theory for the purpose of navigation process to make the user fulfill the commands using the text mode that can make the application more powerful unlike the Operating Systems based on Windows named Second Part to Hell is the replica of the one published after the earlier Austrian based virus material named Monad which was published by the Microsoft. This was also proven by the Director of Research named Mikko Hypponen with the Corporation that is based on F secure part of the Second part to hell. Danom the head of the Virus Family is from the name
In fo
rm
Monad i. e.
Microsoft is given by the F-secure. Danom according to the Hypponen was proved to be cautious but at the same time also said to have no harm for the Microsoft users in using that Operating System which is in turn a proof of the virus. According to the Hypponen the new upcoming hackers developing the viruses for the different platforms will not expect to look at the virus based on the Operating Systems of Microsoft so fast. Since there were few issues raised for publishing the Danom like should there be the option for allowing the Monad with the Operating system of Microsoft Windows Vista since the Manod will be used only by the users who are well experienced. There is a topic raised by the hypponen that Software which is to be a pack that is kept standard defaults for Operating System based on Microsoft. Microsoft
Corporation was been burned by a similar software Microsoft Windows Script, in windows 2000 system. Virus writers were exploiting, as he was been working on the system he said.
U0925517
at io
for the predecessor. Recent published virus by the hacker written in DOS
nl
Page 22
Viruses in Vista
by the writers and be spread upon various operating systems. The security vendors have found that two new malwares raised into the market within the
other files of the system. Stuxnet have been opened which was very crucial by the targets set to that. SCADA which is the to control the data acquisition
been discovered than the stuxnet which also looks at the technical input given or developed the other users. This was earlier displayed in the blog by the Eset Pierre Marc Bureau. The one invented in the recent past is used to install the logger i. e. a keystroke logger which in turn is used to hack the passwords or the data given as input on any of the specific system. Server required to give the components for the attacks is presently located in the USA but with the IP directed to the china customer who is according to the
In fo
rm
bureau. With each of the virus attack done there will be the force applied on the Microsoft corporation to join the weak portion of the software. The next round of the joining for the attacks done is to be done on Aug 10, if the customers attacked with this virus are reached up to certain level then that company will have to forced to join the emergency point for the concerns raised by the [Robert MacMilan, 2010]. Microsoft is presently working on the concern which has been raised so as to solve the issue of joining the patches. According to Randy Abrams said that Stuxnet indicates the very small ratio when compared to that of the earlier ones i. e. it is . 01% of the malwares that is observed on the internet. This can even change its
features. This can even become the most common option for the attackers. This is expected to reach the 100 or 1000s of malwares who are linked up with the vulnerability.
U0925517
at io
from the MNC named Siemens. Less crucial one is the latest one that has
nl
Page 23
Viruses in Vista
8. Computer worms:
Worms are malicious programs which are specially written to design to
software which includes virus as well as Trojans. People frequently install worms accidentally opening a message or an attachment that hold the
e-mail containing additional copies of the worm. Worms can easily penetrate into the networking security and proper antivirus will try stopping the infection
Morris in the year 1988 discovered internet worm. These usually penetrate through emails and they will spread across the internet very quickly. In 1999 the worm named Melissa was discovered, which is spread by the means of e-mail. This worm has the features of the Trojan worm and they will spread the worm by means of internet or emails. [Denning. P, 1989].
In fo
rm
8. 1. Examples of Worms:
U0925517
at io
nl
Robert Tappan
Page 24
Viruses in Vista
Update operating system and software you use. [Use Windows Update to automatically update all Microsoft products. ] Use antivirus and antispyware, such as Microsoft Security Essentials, a free download from Microsoft. Please note that files attached to e-mail and links to websites. Use a standard user account instead of an administrator account [By
In fo
rm
U0925517
at io
O
Page 25
nl
Viruses in Vista
9. Practical Implementation
9.1
Name Threat Level Type Alias Identified
. Trojan. Gozi:
: Trojan. Gozi : High : TT_Trojan : Gozi Trojan
Gozi is the famous Trojan which have been spreading before 17 April 2007,
[Brain Prince, 2007], It affected around 5200 hosts ten thousand accounts. The cost of stolen Data is around $2 Million. [John Bambenek, 2007] The data stolen is of memory 3. 3GB [Don Jackson, 2007]. Gozi is connected with Russian Heritage which is helpful for cyber
In fo
rm
criminals. Previous version of Gozi is in 2007. The latest version has many features which are listed below. [Andreas Baumhof, 2010]. systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, and Win 7.
Features of Gozi:
It has an advanced Winsock2 functionality which is useful in stealing the SSL data. It Trojan code is modularized. It can spread through the Internet Explorer. It has a personalized server to extract and store the sensitive data. It has a customer interface to buy the stolen data through online. The value of the data is around $2 million US. The Gozi is stores in the system and hides, after that it starts it tasks like stealing the personal and sensitive data. 2010]
U0925517 Page 26
at io
the new variant of this Trojan is steals the Secure Sockets Layer (SSL) data.
nl
[Andreas Baumhof,
Viruses in Vista
As we seen early most of the Gozi viruses are transferred through the malicious PDF files. The PDF with MD5 b72163b1d5fbc0f2e88e984bf0ac601e,
exploit the buffer overflow in Adobe Acrobat Reader (CVE-2007-5659). The aim of this PDF is to download the original Gozi known as update. exe having MD5 cd4d37ea17007cbdfa0d9cc96b5fc1dc. This type of distribution is around 65%.
Justexploit kit:
The Justexploit kits are 27%, the common feature of exploit kits are used for
rm
geographic distribution.
In fo
STEP1: Identification
A file namely xx_ymvb is stores in to the C:\Documents and settings\<username> which is directory pointed to by the %USERPROFILE% VARIABLE. [BY Don Jackson, 2007]. It is not detected which malware it is particularly at the time of scanning by more than 30 well known antiviruses. Some of those used heuristics identified this as Generic threat or Suspicious file. [Don Jackson, 2007]
U0925517
at io
So only the bad people are infected due to These are mostly installed in US, UK,
nl
Page 27
Most of the Gozi viruses are transfers to the system as drive by infections,
Gozi Installation:
Viruses in Vista
While conducting a forensic examination on the PC which is infected by this Trojan, data which is recovered from the deleted Internet Explorer cache it is shown that the PC user accessed the web site alchemylab. com the code shown is the following. [Don Jackson, 2007]
In fo
rm
U0925517
at io
Page 28
STEP2:
nl
Viruses in Vista
functions which are used to download, run them . EXE file are presented in
Crapanzano, 2003]
Earlier, for the purpose of the analyzing the behavior of any specific reason the tool was structured using which the duplicate executable file is been
In fo
rm
founded and then make use of that in the VMware Virtual machine of Windows XP. Files, System Hardware, System Software, disks were under the monitoration by the tools which belong to the Microsoft company. Ethereal which is now familiar with the name Wire shark can find out and grab the packets which are present on the Network Interface VM. Exploit which has rendered its services through the directory which is not permanent where exactly the malware which has got its execution is present. This all happened soon after the sandbox was into the picture. DLLs after its loading process is done completely, the file to the destination from the source directory will be transferred. There will be the name created for the file with variously picked up names. The registry will look after the files that have been created and saved into the directory and also takes care about the changes done to that particular file and see that it starts running soon after starting the system. [B. Schneier, 1999]
U0925517
at io
the last frame of the webpage those are hosted on same server. [Jamie
Java script Code using ActiveX Data Objects (ADODB) and XMLHTTP
nl
Page 29
Viruses in Vista
the users personal computer i. e. the value allotted to the different keys for e. g. for the key yy_name the value allotted is some x, then the value for another key say yy_address will also be the same as in case of the yy_name key. Same as in case of the other key since its value is same but only thing which varies is its siz that is a big in size with the compressed text in it. The
In fo
rm
tools by windows are used to store the data or information on the files and the registers present in the folder. Regedit does not approves or disclose its data i. e. the entries which are made in that at the same that not even display the profile in the internet. Tools which are to monitor the deleted files of that folder are not founded. The Windows malwares used in the folders does its job in keeping its data highly secured and safe from leaking it out. For which the root kit only according to many of them think it supports such a functionality. The file and the entries into the registers are made seen to everyone using the entries such as run command to prevent the executable file to load its applications by re starting the system in the safe mode. The server on which the file was executed using the hyper text transfer protocols of 80/tcp, the links used to connect the program to the port has started and successfully completed its part. Wire shark as discussed above has dealt in with
detecting the traffic in that particular file or folder [Don Jackson, 2007].
U0925517 Page 30
at io
The key value for all the will be the same but varies when it comes to that of
nl
Viruses in Vista
STEP3:
Sending a CGI program to the server will be the initial step.
Data format used in sending the request is the MIME. This also includes the header with the content of its type as binary which is totally a different concept. This was again according to the statistical analysis proved as the
duplicate copy from the area of Microsoft company where the storage of data or information is done.
rm
In fo
STEP4:
Hyper text transfer protocols request is to get the file of . cgi format onto the same server which will be the second step.
at io
Figure 9. 1. 8 certs data posted. cgi
certificates issued to the clients and the information which has been the
nl
Viruses in Vista
A value for some x key might suite the value that has been generated for some other y key at the same time the value for some z key might match with the value of another key that has been generated statically. This is all
The data or information delivered from the server is the binary data then soon after the response is received as OK then the data looks similar to that in the key that is in the register file.
In fo
rm
File within the %USERPROFILE% directory as in the name of xx_tempopt. bin after filled with the data or information. Data or information will be saved in the key by overwriting it on the existing old registry folder. In such
situations the memory occupied by that registry will be more than what that file previously occupied i. e. 3799 bytes of memory allocation is done.
U0925517
at io
O
Page 32
nl
Viruses in Vista
There was also a proved statement that due to the data or information which is posted in all the forms through the hyper text transfer protocol and the duplicate content sent through the hyper text transfer protocol will
located at any particular place through the hyper text transfer protocol. This is proved after the packets which were been founded and examined. Some of the things which can be easily caught by the Wire shark Malware is that addresses of the email ids can be easily be seen. 2003]
In fo
rm
The tools of that Malware seeks to maintain its combination of finding the secret codes such as finding out the PINS of various users and sending the data to the destination point from the source point after the request has been made. Throughout the process there has been a circular way of approach done to follow that process. Virtual machine starts restarting after some time. Restarting can even be a chance in providing them the loss of data since during the execution of file, when the system gets restarted then the data can be known across to many of the users. [Don Jackson, 2007]
U0925517 Page 33
at io
Figure 9. 1. 12 SSL/TLS Stolen Data
the secret codes i. e. the PIN code of the ATM card, where the SSN and the
nl
[Jamie Crapanzano,
automatically change its nature with the requests it receives to the server
Viruses in Vista
such cases Upack comes into picture i. e. upack looks after the files in the registry directory during the time of uncompressing. Execution of the Upack code is done only when the PE headers are available in the directory where the execution process happens. Malware Execution from the virtual machine should have to be disturbed and debug that to the hardware. This process is preferred to be done in OllyDbg because to use the plug in which is of much useful. This is written by Joe Stewart who works as a Senior Security Researcher for the Secure Works. As discussed in the above paragraph regarding the OllyDbg, There was a test which has been performed using the system with its specifications as
In fo
rm
listed, Windows XP Professional SP2, 750 MHz Pentium III Micro Processor with its Ram size of 512Mb. OllyDbone Plug ins and the Malware software were used in the PC as per the directions given by the Joe. The issue was raised soon after the execution was done using the malwares installed into the system of OllyDbg. [Jamie Crapanzano, 2003]
U0925517
at io
nl
Page 34
files which can even mangle the header. Any kind of compressions to be
Viruses in Vista
Execution keeps in the tilt stage after the execution is done with result as in ntdll. dll code error and by neglecting that. Executable files in order to work must see that the upack must return the header to any point for the size to
Program keeps running till the execution part is done once it is set. The code
rm
of the program in the PE header looks after the execution by continuously running control F9. Going with the Exception of removing the break on
through the context menu and tuning in back to the memory map which directs you to the destination source can make the debugging possible in that memory location.
In fo
U0925517
at io
n
Page 35
nl
come up with the menu and reach the breaking point. [Don Jackson, 2007]
Viruses in Vista
For the execution part to complete successfully the thing we have to check in is to make use of the controls as follows, For setting a breakpoint we have to make use of F2 control and to run the program till the breakeven occur make
achieve the execution part of the code to complete successfully. TO run the
program till the function sets to return we need to press Contol+F9 soon after for a single step we need to press F7 for the instructions of RETN. This itself
executable file we make the Virtual machine link with the utilities of PE_Stub. Testing the import table can be done except the issue that the unpack file cannot be executed so there is no chance for the debugger to come into action.
In fo
rm
U0925517
at io
nl
[B.
Page 36
Viruses in Vista
STEP6:
A single move down here could simply reach the OEP. OEP stands for
compressed state which retains the general memory map which is usable, that is through the main function of the malware.
malwares secrets got revealed. However no further tricks used for antianalysis can show the result.
rm
The Trojan makes virtual memory simpler in such a way to pierce the code through the processes which are been running. Therefore this relative
phenomenon which is utilized for making the registry keys & files useful for the survival of reboot is known to be the rootkit-like. And the particular code is necessary to access the Protected Storage of Windows & for exporting the certificate stores which are available in the PFX format. In fact this is the data which is sent to the server with respect to the program of certs. cgi. So usually the way down this relative code, a person can notice the DLL functions of networking which are required for building & sending the actual request which in fact implements the POST. [Carnegie Mellon University (1999)]
In fo
U0925517
at io
n
Page 37
nl
So presently all the
Original Entry Point. However the code belonging to this is never been in
Viruses in Vista
While going through the code, we are made able to check which was
Windows Functions which are necessary for performing the common tasks which usually needed to complete is much more a helping hand. The one
And this data any of which is brought together as a code else that is drawn from its mother ship is usually encrypted very weakly. Once we are able to locate the loop of decryption then we can grab the way OPTIONS are been crafted. This helps us in concluding from evidence the remaining capabilities related to the malware residing inside the code which might ever been
In fo
rm
U0925517
at io
With the peculiar interest the relative code performs the data of OPTIONS.
nl
Page 38
Viruses in Vista
STEP7:
In fo
rm
Further examination of the OPTIONS data which is decrypted inside memory of the batch, we are able to find that it consists of:
The URLs & IP address that is required for upload of data which is stolen The required Identifiers which are needed for marking some specific characteristics of forms(HTML) from remaining kinds of pages in web A specific IP address which is required for the registration of options given for downloading and the infection Detailed options which let us know the formatting of data which is stolen[D. Wagner, 1996]
As an add-on for Trojan which is original, two different variants related to side of executable client are available. Later these do not seem to be useful for further attacks. It denotes similar to the area of presentation set for the later release for bringing ahead the detection of anti-virus lead times.
U0925517 Page 39
at io
nl
Viruses in Vista
Since no peculiar address of IP is denoted inside requests of HTTP, the data grabbed or stolen is transformed as files which are flat and are indexed
In fo
rm
based upon infection ID i. e. , sent via parameter of user id. Several number of infection IDs via same address of IP could indicate:
IP address in fact known as address of NAT (hosts lie on corporate network else same home) While the machine get subjected to infection, then it is cleaned, again it is re-infected as on IP address which is assigned for serving a separate machine i. e. , the DHCP is even infected Whenever a collision takes place in specific generated ID i. e. , when two separate hosts carry the similar ID number without any dependency[Carnegie Mellon University, 1999]
For the purpose of the test run there will be a Trojan parameter which can be added and a version_id which will be helpful for the purpose of the wild
U0925517 Page 40
at io
nl
Viruses in Vista
production execution. This will similar variant of GOZI will be utilized for both. The ID, IP, version of the Trojan or the URLs will be infected by the server interface ("signin. hackmebank. com") or by the post data ("password=").
In fo
rm
The front end with consists of the graphics can be sinkable and there is need to perform this installation. "76service"is a default logo which will be allotted for group or individual.
The delivery option will be selected by the client who will be allowed by the features of the frontend. There will be one option called compressed
document. Here file name cannot be found but the file folder can be located. Only in these two things only one will be found. The file which is compressed will be contains 3. 3 GB data which is stolen personal files from the clients from more than 5200 systems. Here the client would be paid with bogus funds and value is set as 1. [Don Jackson, 2007]
U0925517
at io
Figure 9. 1. 20 Default values on the server
Page 41
nl
Viruses in Vista
STEP8:
Managing low prices, logins of customers in the server which can handle
database having a centralized server with customized features. The reason to provide these many features to skill developed the counter measures.
For example Gozi is posturing like Computer criminal data in UK, Jackson posted many posts in forums, Internet relay channels because there is more phishing and data which is stolen available commonly.
In fo
rm
There he got instructions how to join in a particular IRC on a particular channel in a day. There no other persons are there except he and me on that particular channel. He operated Jackson with a fake name to contact with him and he said that he will give a kit named Snatch. The price of the kit is $2000 for the new people and he will give it for $1000 to the persons he knew. But he provided only preview account. The customers who are don`t know Russian Language are suggested to translate and follow the site to use AltaVistas Bablefish with free of cost.
U0925517
at io
n
Page 42
nl
stolen data is key points to an increasing trend for malicious softwares in the
Viruses in Vista
In fo
rm
U0925517
at io
O
Page 43
nl
Viruses in Vista
They are posing like they are adding new features to the kit. The previous version is uses manager. cgi to access whereas latest version uses serv. cgi.
The 76SREVICE trail server is locating the ISP in Georgia, Atlanta at one time, later the server is moved to Midwest America (Oklahoma, Texas), but whereas the server Internet Protocol address is allocated to a Tampa company. They are always keeps on moving.
In fo
rm
Detection of Gozi:
We can identify the presence of Trojan. gozi by checking for the registry values as shown in below figure.
U0925517
at io
O
Page 44
nl
Viruses in Vista
Removal of Gozi:
To remove the Gozi from the system, as we know Gozi comprises on DLL, Gozi are hidden; it is difficult to delete all DLLs from the system directly. Firstly we need to identify the . dll files of Gozi, after that by using utilities such as Move file from sysinternals delete all the registry entries related to the Gozi. Reboot the system, later check whether the registry entries of Gozi all are deleted or not. Now the system is safe. [Andreas Baumhof, 2010]
In fo
rm
U0925517
at io
Page 45
nl
we need to remove all registry entries which are related to Gozi. DLLs of
Viruses in Vista
9. 2. Prorat 1. 9:
Name Threat level Damaged level Identified Updated Type Alias : Backdoor. prorat. 10b3 [Kaspersky] : Low : Medium : 13-06-2003 : 13-02-2007 : Trojan horse : Prorat
Description : This Trojan helps the attacker to give full access on victims PC; it opens a port in the PC, it written in Delphi, packed with UPX. [Kaoru Hayashi, 2007]
In fo
rm
without our permission, the systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, Win 7, whereas Mac, Linux and Unix users are not affected by this Trojan. [Spyware database, 2007]
It firstly copies itself in to the %Winddir% of %System% folder. different variants with different file name as shown below.
at io
Figure 9. 2. 1
n
It has
Page 46
U0925517
nl
Viruses in Vista
Step2:
It creates . dll files in to the %System%, those are as shown in below.
Figure 9. 2. 2
Step3:
In fo
rm
U0925517
at io
Figure 9. 2. 3 (a)
Figure 9. 2. 3 (b)
n
Page 47
nl
Viruses in Vista
Step4:
It modifies the data as shown in below
Step5:
It opens a port in the victims PC in the range of 50000-60000, and sends the
In fo
rm
IP address and port Number of victims PC using the ICQ web pager to the ICQ user. There is a chance to inject . dll file into winlogon process as a thread, it terminates the function of security products. [Kaoru Hayashi, 2007]
U0925517
at io
Figure 9. 2. 4
n
Page 48
nl
Viruses in Vista
In fo
rm
U0925517
at io
Figure. 9. 2. 5
Page 49
nl
Viruses in Vista
Step2:
It will appear as shown in below figure.
In fo
rm
U0925517
at io
Figure 9. 2. 6
Page 50
nl
Viruses in Vista
Step3:
Click on create and the Create Prorat Server(342Kbayt) as shown below
rm
In fo
U0925517
at io
Figure 9. 2. 7
Page 51
nl
Viruses in Vista
Step4:
Click on the Notifications tab and then give the IP address and the E-mail to
In fo
rm
U0925517
at io
Figure 9. 2. 8
Page 52
nl
Viruses in Vista
Step5:
Goto general settings and tick the options according to the user requirement.
rm
In fo
U0925517
at io
Figure 9. 2. 9
Page 53
nl
Viruses in Vista
Step6:
Click on the bind with file tab, tick on bind with server file and select file what
In fo
rm
U0925517
at io
Figure 9. 2. 10 (a)
Page 54
nl
file we want to bind , after that a dialogue box shows that Server bind with
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 10 (b)
Figure 9. 2. 10 (c)
Page 55
nl
Viruses in Vista
Step7:
Click on the Server Extensions tab we can give any extension as our requirement, here I am clicking on . SCR as shown in figure 9. 2. 11
In fo
rm
U0925517
at io
Figure 9. 2. 11
Page 56
nl
Viruses in Vista
Step8:
Now click on Server Icon and then choose any one icon and then click on that The Blinded server has been created with your settings in the current
12 (c).
In fo
rm
U0925517
at io
Figure 9. 2. 12 (a)
Page 57
nl
create server, after that a dialogue box is appeared on the screen showing
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 12 (b)
Figure 9. 2. 12 (c)
Page 58
nl
Viruses in Vista
Step9:
Now we can see the binded server is created, create an new zip file, rename
In fo
rm
U0925517
at io
Figure 9. 2. 13 (a)
Page 59
nl
the binded server with the name as your wish, and send it in to a zip file as
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 13 (b)
n
Page 60
nl
Viruses in Vista
Step10:
Send the zip file to the victim.
In fo
rm
U0925517
at io
Figure 9. 2. 14
Page 61
nl
Viruses in Vista
Step11:
Now give the IP address of the victim and connect as shown below figure.
In fo
rm
U0925517
at io
Figure 9. 2. 15
n
Page 62
nl
Viruses in Vista
Step12:
Now we can access the victim pc and we can see all the information
opened, we can turn off, restart, look all the files in the hard disk, services, we can chat with the victim, find the passwords etc as show in below figures.
rm
In fo
U0925517
at io
Figure 9. 2. 16 (a)
Page 63
nl
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 16 (b)
Figure 9. 2. 16 (c)
n
Page 64
nl
Viruses in Vista
In fo
rm
U0925517
at io
Figure 9. 2. 16 (d)
Figure 9. 2. 16 (e)
Page 65
nl
Viruses in Vista
Step1:
Stop the Processes which are as shown in below.
Step2:
In fo
rm
U0925517
at io
Figure 9. 2. 17
Figure 9. 2. 18
n
Page 66
nl
Viruses in Vista
Step3:
Locate and delete all the files shown in below.
We can use anti-virus tools also and there is a tool Anti-Prorat is available we can use this tool also.
In fo
rm
U0925517
at io
Figure 9. 2. 19
n
Page 67
nl
Viruses in Vista
Gozi is the Trojan horse; it steals the SSL data from the infected PCs
and maintains a central server for the database. The attackers take the membership of Gozi and extracts the data whatever they wants, and hack the accounts of the victims. Gozi affected the systems around 5200 and the accounts more than ten thousands and the black market data is around
$2Millions. The best way to remove Trojan. gozi is first remove the . dll files and then deleting all the gozi registry entries.
Prorat belongs to Trojans family, It is a Remote administration tool which is used by the attackers, without our permission, the systems which are affects by this Trojan are Win 95, Win 98, Win NT, Win Me, Win 2000, Vista, Win 7, whereas Mac, Linux and Unix users are not affected by this Trojan. By using this the attacker can take all his passwords, personnel data,
In fo
rm
etc, even he can crash the entire system. [Spyware database, 2007]. We can remove prorat by using best antivirus software. It is very much difficult to identify the malicious softwares. Every time Malicious softwares are illegal, fraud or unwanted
it is not possible for the user to determine whether the malicious software is necessary or not. softwares.
identify from malicious softwares. We can examine the softwares in following ways Such as: By the source of the program, background of the software, behavior of the software, software impact on the system like performance, security as well as privacy.
U0925517
at io
nl
Page 68
Trojans and much malicious software. Coming to the practical part I worked
Viruses in Vista
3. Unreliable behavior: Here the unwanted softwares will stop the user from removing the programs.
There a many types of malicious software which are creating trouble to user of the system such as:
Worms: These worms attack the networking connections but they will not
networking connection to enter into the network and after that they will create heavy damage.
Trojan: Trojan is viruses which are implanted in authentic software and enters into the computer. There are so many types of Trojans present in the
In fo
rm
internet but the functionality of the each Trojan would be different. Trojan virus will look as genuine software for the user but it will create a dangerous treat to the system [Joseph Lo aka Jolo, 2006]. The Trojan virus uses the existing viruses in the system and it will create more damage by using the existing viruses. Dialer: dialer is malicious software which will install into the dialer settings of the system without the knowledge of the client and the dials the numbers without the knowledge of the client. Backdoor: This will gain access on the entire system of the user and then it will create a heavy damage to the computer. To protect the system or computer from malicious softwares it is preferable to install a malicious software removal tool.
U0925517
at io
nl
Page 69
Viruses in Vista
Findings:
In this module I found many things such as:
Types of malicious programs. Types of viruses and worms. Methods of attacks. About Anti-virus.
In fo
rm
U0925517
at io
Page 70
nl
Features of Vista.
Viruses in Vista
RECOMMENDATIONS:
Step1: Network, software applications and operating system should be kept
operating systems must be updated to protect from malicious hackers. Hackers tries to find out the problems in software products and when they find a mistake in the following softwares the hackers immediately prepare a program to create problems in the software as well as they will attack the systems on the internet.
but then the perfect version of the software should download and install in to the computer. In the mean time hackers will try to affect the systems on the world wide systems. So, immediate updating of the software and antivirus should be performed.
In fo
rm
Some famous companies like Microsoft and apple will provide automatic update checks when you on the system but some software vendors they do not provide such options. So it is better to check the website of the software periodically for the updates. So, immediate updates of the software will be recommended to protect our system.
Step 2: It is compulsory to install antivirus software. The viruses and worms can be detected by using some excellent antivirus softwares . These antivirus will use a technique called heuristics which will has the ability to detect the virus which are suspicious.
U0925517
at io
the software vendors find a fault in the software they will immediately rectify it
nl
Page 71
The network softwares, servers of the web, internet browsers and the
up to date.
Viruses in Vista
Step 3: The antivirus should be running In this antivirus software we can implement two types of methods, in the first
when the system started the antivirus will start scanning all the files in the system and protect from antivirus. It is better to go for a real time scanner as when we are in work station mode without interrupting our work the virus will
scan the system files and folders. And periodically it is better to scan a batch file once in a week.
It is better to go for genuine antivirus software than that of pirated antivirus software. When you subscribe an antivirus the vendors of the antivirus softwares will provide virus information updates and also new virus alerts will be provided. If the antivirus subscription is outdated automatically there will be risk from the viruses. So keeping updated antivirus will protect the system
In fo
rm
from viruses.
Step 5: Be aware of phishing The process related to theft of data which belongs to the users who surf techniques of socialized engineering. This is generally performed through entities which are most trusted. Most abruptly it is done through e-mail. It points the end user to the websites which seem to be a replica of entities which are trusted. So, do not provide personal information to any of the fake sites or mails. phone. Good reputed companies will verify your information via
U0925517
at io
n
Page 72
nl
method we can keep the antivirus in the real time mode. In real time mode
Viruses in Vista
Step 6: Data sharing and accessing untrusted websites must be avoided. USB, cds, DVDs, emails and net surfing will increase the risk of infection of
Never open or click on the links from unknown emails, avoid visiting untrusted websites and try to avoid files from unpopular or untrustful websites. These unwanted websites will try to infect the system and try to rob some personal information from the system user.
Future Implementation:
In fo
rm
many Malwares are also there, still new Malwares are creating day by day, but there is no ideal anti-virus scanner is available, which means if a new malware is created at this time it is taking time to analyze, to detect and the procedures to remove the malicious programs. Gozi is stealing the SSL data of thousands of accounts, so the banks should provide high standards of security, and the operating systems should be designed in such a way that highly restrict the malicious programs.
U0925517
at io
nl
Page 73
the system.
Viruses in Vista
Conclusion:
In this paper we discussed about Trojan. gozi, Backdoor. Trojan how infects the systems and how to remove these from the infected systems. And also how to improve the consistency of the anti viruses and how to avoid
or protect the system from new viruses or existing viruses. As the antivirus
protect the system from viruses, but also the new viruses which are created are defeating the antivirus softwares. In malwares the developers of the powerful anti viruses softwares. Because of this system the new malicious programs are having the capacity to disable the antivirus software and other types of security softwares.
The rising of this type of malicious softwares will able to show us how good the antivirus softwares are working. To prevent infections and to get
In fo
rm
rid of worms some of these methods should be implemented like Using a firewall in the system, Updating the operating system (VISTA OS) and softwares you use, Using antivirus and spyware softwares, such as Microsoft Security Essentials which are free download from Microsoft and Use a standard user account instead of an administrator account.
Windows systems, this is the case where people who use the other operating systems [OS] believe they were not at risk, though, and this is not the case. Malicious programs are also targeting the other operating systems such as Apple and Linux operating systems.
U0925517
at io
malwares are trying to implement new methods of coding to escape from the
nl
Page 74
Viruses in Vista
Here it is strongly suggested to install an anti virus scanner. May be not all antivirus scanners will be recognized by Windows Vista, even if these virus scanners are completely fine and properly functional. If your anti-virus automatically Malware Protection line will turn green. Most of the anti-virus programs are required to reboot after installation. But the actual fact is that if you were one of the million users of internet we should be careful about the
there is no antivirus software which can protect our worldwide internet immediately when a worm or virus is created.
In fo
rm
U0925517
at io
Page 75
nl
Viruses in Vista
References:
[T. M. Chen, 2003] [Trends in Viruses and Worms. By T. M. Chen, 6[3],
[Dr. Chris Imafidon] [Analysis of two recent worms, Date published: 20-082006] Date accessed: 20-07-2010
Date Published: 01-07-2002] Date accessed: 30-07-2010 http://www. extremetech. com/article2/0%2C1558%2C325439%2C00. asp. ] [DaBoss, 2009] [DaBoss. Number of viruses. Published: 03. 05. 2009 http://www. cknow. com/vtutor/NumberofViruses. html] Date accessed: 30-07-2010 [Nachenberg.
at io
C, 1997] [Computer Nachenberg.
[J. Munro, 2002] [J. Munro. Antivirus research and detection techniques,
O
virus-antivirus
In fo
rm
[G. B. Sorkin, 1997] [G. B. Sorkin, D. M. Chess, and S. R. White. Fighting computer viruses. Scientic American, Published: 1997. ] Date accessed: 09-08-2010
[Richard Barnhart, 1996] [Richard Barnhart. Notes on computer viruses. Last updated 23-09-96 http://courses. cs. vt. edu/professionalism/Viruses/viruses. html. ] Date accessed: 09-08-10. Understanding and managing
[C.
U0925517
nl
coevolution.
Page 76
Viruses in Vista
http://www. viruslist.
com/en/viruses/encyclopedia?chapter=153311150. ] Date accessed: 09-08-10. [P. Szor] [The Art of Computer Virus Research and Defense. ] Date accessed: 09-08-10.
com/connect/articles/social-engineering-fundamentals-part-i-hackertactics ] Date accessed: 14-08-10. Cert incident note Date published: Feb 99.
[Erik Larkin ,2009] [Spotting a PC Infection, Erik Larkin, PC World, Date Published: 02-02-2009] Date accessed: 16-08-10. [Roger Grimes, 2007] [Malware Troubles? Start from Square One, Roger Grimes, PC World, 20-02-2009] Date accessed: 16-08-10.
In fo
rm
[Ryan Naraine, 2006] [Ryan Naraine. Security, Date published: 20. 10. 2006 http://www. eweek. com/article2/0,1895,2034680,00. asp. ] Date accessed: 20-08-10.
[Dshield ,2003] [Dshield. The beast. Date published: Fri, 17 Oct 2003 http://lists. virus. org/dshield-0310/msg00337. html. ] Date accessed: 22-08-10.
[Win32. Glieder. AF, Date Published: 21 Apr 2005, Last Updated: 31 May 2005. http://www3. ca. com/securityadvisor/virusinfo/virus. aspx?id=42627. ] Date accessed: 22-08-2010. [Don Jackson ,2007] [Gozi Trojan, Don Jacson, Date published: March 2007 http://www. secureworks. com/research/threats/gozi/, Date of accesses: 28-Aug-2010]
U0925517
at io
nl
Page 77
Viruses in Vista
[E.
[By Robert McMillan , 2005] [Viruses take advantage of new command shell
[Robert Macmilan, 2010] [New malware variants exploit Windows attack By Robert Macmilan. Date published: 23. 07. 2010 http://www. infoworld. com/d/security-central/new-malware-variants-exploit-windows-attack424] Date accessed: 22-08-10
In fo
rm
[Bob Page, 1988] [A Report on the Internet Worm by Bob Page, November 7, 1988. ] Date accessed: 24-08-10.
[Andreas Baumhof ,2010] [Gozi, Andreas Baumhof Date published: 28-Feb2010, http://www. trustdefender. com/blog/2010/02/28/gozi-a-perfectexample-of-an-older-trojan-re-inventing-itself/ Date of accesses: 28Aug-2010] Date accessed: 28-08-10.
[P. Denning, 1989] [P. Denning, The Internet Worm Vol. 77, Mar-89] Date accessed: 22-08-10.
[Bob Page, 1988] [A Report on the Internet Worm by Bob Page, November 7, 1988] Date accessed: 22-08-10 [Cert incident, 2002] [Love Letter Worm, http://www. cert. org/advisories/ca2000-04. html. ] [John, 2009] [Markoff, John [2009-01-22]. "Worm Infects Millions of Computers Worldwide". New York Times. http://nytimes.
U0925517 Page 78
at io
in beta OSBy Robert McMillan, IDGNS. Date published: 04. 08. 2005
Accessed: 28-08-10.
nl
[R.
Viruses in Vista
com/2009/01/23/technology/internet/23worm. html. Retrieved 2009-0423. ] [Ryan Naraine, 2006] [What Is the Difference: Viruses, Worms, Trojans, and Bots? - Cisco Systems]
[Carnegie Mellon University [1999]: "CERT Advisory CA-1999-02 Trojan Horses", Retrieved on 2009-06-10. ]
[Gizmo Richards, 2008] [Do you really need a spyware scanner? [Editorial]
[By Mary Landesman] [Best Free Trojan Scanner/Trojan Remover, torresmagnifico, TechSupportAlert, July 2, 2010 -- Emsisoft AntiMalware, PC Tools ThreatFire, Malwarebytes' Anti-Malware, and SUPERAntiSpyware. ]
In fo
rm
[Spyware database, 2007] [Spyware database, uninstall prorat database http://www. uninstall-spyware. com/uninstallProRAT. html] Date access: 03-09-10.
[Kaoru Hayashi, 2007] [[Kaoru Hayashi, Backdoor. Prorat Date published: 13-Feb-2007 http://www. symantec. com/security_response/writeup. jsp?docid=2003-061315-4216-99&tabid=2] Date accessed: 01-09-10.
[Andreas Baumhof, 2010] [Gozi, by Andreas Baumhof, 2010 http://www. trustdefender. com/blog/2010/02/28/gozi-a-perfect-example-of-an-oldertrojan-re-inventing-itself/ Date published: 28-02-2010] Date accessed, 20-08-10. [Jamie Crapanzano , 2003], [Deconstructing SubSeven, the Trojan Horse of Choice, Date Published: 06-11-2009] Date accessed: 26-08-10 [Carnegie Mellon University, 1999], [BitDefender. com Malware and Spam Survey, Published: 1999], Date accessed: 26-08-10
U0925517 Page 79
at io
2009-06-11. ]
nl
Viruses in Vista
[D. Wagner, 1996] [Carnegie Mellon University (1999): "CERT Advisory CA1999-02 Trojan Horses", Retrieved on 2009-06-10. I. Goldberg, D.
Proceedings of the 1996 Usenix Security Symposium. USENIX, July 22-25 1996. ] Date accessed: 02-09-10
[B. Schneier, 1999] [B. Schneier. The Trojan horse race, Communications of the ACM, 42 Sep 1999] Date accessed: 04-09-10.
In fo
rm
U0925517
at io
Page 80
nl
In
Viruses in Vista
Index
Anti-virus Backdoor Backdoor. prorat Bit Locker Boot sector viruses Buffer overflow Bugbear Computer worms Cross site Date virus Dialer Email Worms Emulsion
17 69 46 7 11 15 21 10, 24
rm
In fo
Integer overflow Justexploit kit Kaspersky Klez Love letter worm Macro Viruses Malicious PDF file
U0925517
at io
11 69 24 17 11 21 17 14 15 18 15 15 25 15 27 19 21 14 11 27
Page 81
n
15
nl
Viruses in Vista
Malicious programs Malware Mass E-mailers Newtwork Softwares Parasitic viruses Pattern Matching Pharming Phishing Polymorphic virus Privacy Prorat 1. 9 Root kit Security
7 8 14
11 17 15 15 12 69 46 13 69 17 14 19 9
Spam through Trojans Spyware Stealth virus Trojan Beast Trojan. Gozi Trojans UAC
rm
In fo
U0925517
at io
12 20 26 13 7 7 10 14 20 20 21 13 18
Page 82
nl
71