VIRUSES,+MALWARE,+BAD+THINGS

=A **computer worm**= is a self-replicating [|malware] [|computer program]. It uses a [|computer network] to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a [|virus], it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming [|bandwidth], whereas viruses almost always corrupt or modify files on a targeted computer.

=A **computer virus**= is a [|computer program] that can copy itself[|[][|1][[[]|]]] and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of [|malware], including but not limited to [|adware] and [|spyware] programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable [|code]) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a [|floppy disk], [|CD], [|DVD], or [|USB drive].[|[][|2][[[]|]]] Viruses can increase their chances of spreading to other computers by infecting files on a [|network file system] or a file system that is accessed by another computer.

=**Malware**= (also: //scumware//), short for //malicious software//, is [|software] designed to secretly access a computer system without the owner's [|informed consent]. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[|[][|1][[[]|]]] The term "[|computer virus]" is sometimes used as a catch-all phrase to include all types of malware, including true viruses. Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes [|computer viruses], [|worms], [|trojan horses], [|spyware], dishonest [|adware], scareware, [|crimeware], most [|rootkits], and other malicious and unwanted software. In [|law], malware is sometimes known as a computer contaminant, for instance in the legal codes of several [|U. S.] states, including [|California] and [|West Virginia].[|[][|2][[[]|]]][|[][|3][[[]|]]] Malware is not the same as defective software, that is a software that has a legitimate purpose but contains harmful [|bugs]. Preliminary results from [|Symantec] published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[|[][|4][[[]|]]] According to [|F-Secure], "As much malware [was] produced in 2007 as in the previous 20 years altogether."[|[][|5][[[]|]]] Malware's most common pathway from criminals to users is through the [|Internet]: primarily by e-mail and the [|World Wide Web]

=A **backdoor**= in a [|computer] system (or [|cryptosystem] or [|algorithm]) is a method of bypassing normal [|authentication], securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., [|Back Orifice]), or could be a modification to an existing program or hardware device. A backdoor in a login system might take the form of a [|hard coded] user and password combination which gives access to the system. A famous example of this sort of backdoor was as a plot device in the [|1983] film //[|WarGames]//, in which the architect of the "[|WOPR]" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode and direct interaction with the [|artificial intelligence]). An attempt to plant a backdoor in the [|Linux kernel], exposed in November [|2003], showed how subtle such a code change can be.[|[][|3][[[]|]]] In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the function [|root access] to the system.[|[][|4][[[]|]]] Although the number of backdoors in systems using [|proprietary software] (software whose [|source code] is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as [|Easter eggs] in programs, although such cases may involve official forbearance, if not actual permission.

Many [|computer worms], such as [|Sobig] and [|Mydoom], install a backdoor on the affected computer (generally a [|PC] on [|broadband] running insecure versions of [|Microsoft Windows] and [|Microsoft Outlook]). Such backdoors appear to be installed so that [|spammers] can send junk [|e-mail] from the infected machines. Others, such as the [|Sony/BMG rootkit] distributed silently on millions of music CDs through late 2005, are intended as [|DRM] measures — and, in that case, as data gathering [|agents], since both surreptitious programs they installed routinely contacted central servers. =A **zombie computer**= (often shortened as **zombie**) is a [|computer] connected to the [|Internet] that has been [|compromised] by a [|hacker], [|computer virus] or [|trojan horse]. Generally, a compromised machine is only one of many in a [|botnet], and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to [|zombies]. Zombies have been used extensively to send [|e-mail spam]; as of 2005, an estimated 50–80% of all spam worldwide was sent by zombie computers.[|[][|1][[[]|]]] This allows [|spammers] to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth. This spam also greatly furthers the spread of Trojan horses; as Trojans, they are not self-replicating. They rely on the movement of e-mails or spam to grow, whereas worms can spread by other means.[|[][|2][[[]|]]] For similar reasons zombies are also used to commit [|click fraud] against sites displaying [|pay per click] advertising. Others can host [|phishing] or [|money mule] recruiting websites. Zombies can be used to conduct [|distributed denial-of-service] attacks, a term which refers to the orchestrated flooding of target websites by armies of zombie computers. The large number of Internet users making simultaneous requests of a website's server are intended to result in crashing and the prevention of legitimate users from accessing the site.[|[][|3][[[]|]]] A variant of this type of flooding is known as distributed [|degradation-of-service]. Committed by "pulsing" zombies, distributed degradation-of-service is the moderated and periodical flooding of websites, done with the intent of slowing down rather than crashing a victim site. The effectiveness of this tactic springs from the fact that intense flooding can be quickly detected and remedied, but pulsing zombie attacks and the resulting slow-down in website access can go unnoticed for months and even years

(1) Spammer's web site (2) Spammer (3) Spamware (4) Infected computers (5) Virus or trojan (6) Mail servers (7) Users (8) Web traffic =PHISHING= In the field of [|computer security], **phishing** is the [|criminally] [|fraudulent] process of attempting to acquire sensitive information such as usernames, [|passwords] and credit card details by masquerading as a trustworthy entity in an [|electronic communication]. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by [|e-mail] or [|instant messaging],[|[][|1][[[]|]]] and it often directs users to enter details at a fake website whose [|look and feel] are almost identical to the legitimate one. Phishing is an example of [|social engineering] techniques used to fool users,[|[][|2][[[]|]]] and exploits the poor usability of current web security technologies.[|[][|3][[[]|]]] Attempts to deal with the growing number of reported phishing incidents include [|legislation], user training, public awareness, and technical security measures. =A **Botnet**= is a collection of [|software agents], or ro[|bots], that run autonomously and automatically. The term is most commonly associated with [|malicious software], but it can also refer to a network of computers using [|distributed computing] software The main drivers for botnets are for recognition and financial gain. The larger the botnet, the more ‘kudos’ the herder can claim to have among the underground community. The bot herder will also ‘rent’ the services of the botnet out to third parties, usually for sending out spam messages, or for performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet huge volumes of traffic (either email or denial of service) can be generated. However, in recent times the volumes of spam originating from a single compromised host have dropped in order to thwart anti-spam detection algorithms – a larger number of compromised hosts send a smaller amount of messages in order to evade detection by [|anti-spam techniques]. Botnets have become a significant part of the [|Internet], albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most [|script kiddies] do not have the knowledge to take advantage of it. =**Social engineering**= is the act of [|manipulating] people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying.[|[][|1][[[]|]]] While similar to a [|confidence trick] or simple [|fraud], the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant [|Kevin Mitnick]. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.

=A **logic bomb**= is a piece of [|code] intentionally inserted into a [|software] system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting [|files] (such as a [|salary] [|database trigger]), should they ever be terminated from the company. Software that is inherently malicious, such as [|viruses] and [|worms], often contain logic bombs that execute a certain [|payload] at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Many viruses attack their host systems on specific dates, such as [|Friday the 13th] or [|April Fool's Day]. Trojans that activate on certain dates are often called "**time bombs**". To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs

=**Time bomb**= refers to a computer [|program] that has been written so that it will stop functioning after a predetermined date or time is reached. The term "time bomb" does not refer to a program that stops functioning a specific number of days after it is installed; instead, the term "[|trialware]" applies. Time bombs are commonly used in [|beta] (pre-release) software when the manufacturer of the software does not want the beta version being used after the final release date. One example of time bomb software would be Microsoft's [|Windows Vista Beta 2], which was programmed to expire on May 31, 2007.[|[][|1][[[]|]]] The time limits on time bomb software are not usually as heavily enforced as they are on [|trial software], since time bomb software does not usually implement [|secure clock] functions.

=A **zero-day**= (or **zero-hour** or **day zero**) **attack** or **threat** is a computer threat that tries to exploit [|computer application] vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day [|exploits] (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. The term derives from the age of the exploit. When a developer becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "[|zeroth]" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software.

How a Zero Day Exploit Works:

Anti-malware companies constantly update their databases that define what software is malicious. A new piece of malware or new version of malware would not be in that database yet. It is known as 0-day because it is 0 days old. The public is vulnerable until the malware is caught and logged. =**Spyware**= is a type of [|malware] that can be installed on [|computers] and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's [|personal computer]. Sometimes, however, spywares such as [|keyloggers] are installed by the owner of a shared, corporate, or [|public computer] on purpose in order to secretly monitor other users. While the term //spyware// suggests that software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of [|personal information], such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting [|Web browser] activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of [|Internet] or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term [|privacy-invasive software].

Anti-spyware programs can combat spyware in two ways:
 * 1) They can provide real time protection against the installation of spyware software on the computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across.
 * 2) Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto the computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software the user can schedule weekly, daily, or monthly scans of the computer to detect and remove any spyware software that have been installed on the computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on the computer and will provide a list of any threats found, allowing the user to choose what to delete and what to keep.

=SNIFFER= A **packet analyzer** (also known as a **network analyzer**, **protocol analyzer** or **sniffer**, or for particular types of [|networks], an **Ethernet sniffer** or **wireless sniffer**) is a [|computer program] or a piece of [|computer hardware] that can [|intercept] and log traffic passing over a digital [|network] or part of a network.[|[][|1][[[]|]]] As [|data streams] flow across the network, the sniffer captures each [|packet] and, if needed, [|decodes] and analyzes its content according to the appropriate [|RFC] or other specifications.

Capabilities
On wired [|broadcast] [|LANs], depending on the network structure ([|hub] or [|switch]), one can capture traffic on all or just parts of the network from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. [|ARP spoofing]). For [|network monitoring] purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called //monitoring port//, whose purpose is to mirror all packets passing through all ports of the switch when systems (computers) are connected to a switch port. On [|wireless LANs], one can capture traffic on a particular channel. On wired broadcast and wireless LANs, to capture traffic other than [|unicast] traffic sent to the machine running the sniffer software, [|multicast] traffic sent to a multicast group to which that machine is listening, and [|broadcast] traffic, the [|network adapter] being used to capture the traffic must be put into [|promiscuous mode]; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the [|service set] for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in [|monitor mode]. The captured information is decoded from raw digital form into a [|human-readable] format that permits users of the protocol analyzer to easily review the exchanged information. Protocol analyzers vary in their abilities to display data in multiple views, automatically detect errors, determine the root causes of errors, generate timing diagrams, etc. Some protocol analyzers can also generate traffic and thus act as the reference device; these can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test for the DUT's ability to deal with error conditions.

The versatility of packet sniffers means they can be used to:
 * Analyze network problems
 * Detect [|network intrusion] attempts
 * Detect network misuse by internal and external users
 * Documenting regulatory compliance through logging all perimeter and endpoint traffic
 * Gain information for effecting a network intrusion
 * Isolate exploited systems
 * Monitor WAN bandwidth utilization
 * Monitor network usage (including internal and external users and systems)
 * Monitor data-in-motion
 * Monitor WAN and endpoint security status
 * Gather and report network statistics
 * Filter suspect content from network traffic
 * Serve as primary data source for day-to-day network monitoring and management
 * Spy on other network users and collect sensitive information such as passwords (depending on any content [|encryption] methods which may be in use)
 * [|Reverse engineer] [|proprietary protocols] used over the network
 * Debug client/server communications
 * Debug network protocol implementations
 * Verify adds, moves and changes
 * Verify internal control system effectiveness (firewalls, access control, Web filter, Spam filter, proxy


 * ROOTKIT**

A **rootkit** is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term //rootkit// is a [|concatenation] of [|"root"] (the traditional name of the privileged account on [|Unix] operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.[|[][|1][|]] Typically, an [|attacker] installs a rootkit on a computer after first obtaining root-level access, either by exploiting a known vulnerability or by obtaining a password (either by [|cracking] the encryption, or through [|social engineering]). Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal [|authentication] and [|authorization] mechanisms. Although rootkits can serve a variety of ends, they have gained notoriety primarily as [|malware], hiding applications that appropriate computing resources or steal passwords without the knowledge of administrators and users of affected systems. Rootkits can target [|firmware], a [|hypervisor], the [|kernel], or—most commonly—user-mode applications. Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternate, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or impossible, especially if the rootkit resides in the kernel; reinstallation of the operating system may be the only alternative.

USES

Modern rootkits do not elevate access,[|[][|2][|]] but rather are used to make another software payload undetectable by adding stealth capabilities.[|[][|7][|]] Most rootkits are classified as [|malware], because the payloads they are bundled with are malicious. For example, a payload might covertly steal user [|passwords], [|credit card] information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a [|CD-ROM]-emulation driver, allowing [|video game] users to defeat [|anti-piracy] measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased. Rootkits and their payloads have many uses:
 * Provide an attacker with full access via a [|backdoor], permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on [|Unix-like] systems or [|GINA] on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard [|authentication] and [|authorization] mechanisms.
 * Conceal other [|malware], notably password-stealing [|key loggers] and [|computer viruses].[|[][|15][|]]
 * Conceal [|cheating in online games] from software like [|Warden].[|[][|16][|]]
 * Appropriate the compromised machine as a [|zombie computer] for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large [|botnets] that can launch [|denial-of-service attacks] and distribute [|e-mail] [|spam].
 * Detect attacks, for example, in a [|honeypot].[|[][|17][|]]
 * Enhance emulation software and security software.[|[][|18][|]] [|Alcohol 120%] and [|Daemon Tools] are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as [|SafeDisc] and [|SecuROM]. [|Kaspersky] antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own drivers to intercept system activity, and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods.
 * Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.[|[][|19][|]]
 * Enforcement of DRM.
 * Bypassing [|Windows Product Activation]

TYPES

There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in [|Ring 3]. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.[|[][|21][|]]



USER MODE ROOTKITS

User-mode rootkits run in [|Ring 3], along with other applications as user, rather than low-level system processes.[|[][|22][|]] They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a [|dynamically-linked] library (such as a [|.DLL] file on Windows, or a .dylib file on [|Mac OS X]) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application. Injection mechanisms include:[|[][|22][|]] ...since user mode applications all run in their own memory space, the rootkit needs to perform this patching in the memory space of every running application. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs' memory space before they fully execute. —Windows Rootkit Overview, Symantec
 * Use of vendor-supplied application extensions. For example, [|Windows Explorer] has public interfaces that allow third parties to extend its functionality.
 * Interception of [|messages].
 * [|Debuggers].
 * Exploitation of [|security vulnerabilities].
 * Function [|hooking] or [|patching] of commonly used APIs, for example, to mask a running process or file that resides on a filesystem.[|[][|23][|]]

**Hacking**

 * threats || Nasty stuff that's out there ||
 * malware || general term for malicious software, includes viruses, worms, trojans--the payload. ||
 * virus || self-copying program, overwrites storage ||
 * worm || spreads across networks, automated ||
 * trojan || malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system ||
 * boot sector virus || virus that infects the master boot record ||
 * key logger || program that records keystrokes ||
 * backdoor || logon not using normal program ||
 * zombie || remote control of victim PC ||
 * botnet || zombies linked together for the same purpose ||
 * phishing || getting secure data by asking for it, usually by email ||
 * social engineering || talking people into giving away info ||
 * whaling || phishing heavy hitters (CISO) ||
 * DoS/DDoS || Denial of Service/Distributed Denial of Service, single PC flooding or botnets using zombies to flood a victim with pings ||
 * logic bomb || executes under a given condition (malware) ||
 * time bomb || triggered by date (malware) ||
 * rootkits || change system software, makes attacks invisible ||
 * assets || SW: processing resources; data: SS#s, CC#s; bandwidth ||
 * Threats2 || data theft, identity theft, vandalism, network intrusion ||
 * vulnerabilities || Open ports on a computer that could be exploited ||
 * signatures || code that AV uses to identify threats ||
 * Zero Day Exploit || A new version of a threat that has not been identified by AV or anti-malware software ||
 * Rootkit || Conceals the compromise of a system's security. ||
 * fuzzing || sending bits of data to software to make it have a bug that stops it ||
 * main-in-the-middle attack || intercepts packets that are being transmitted ||
 * privilege escalation || finding a way to increase privileges for a user ||
 * IDS || Intrusion Detection System ||
 * distributed attacks || used by organized crime for extortion, ID theft; state sponsored attacks ||
 * honey pot || dummy system used to collect information about hackers, appears as something worth hacking ||
 * packet sniffer || software that monitors packets being transmitted and received between two computers. ||
 * rainbow table attack || a password hacking technique using a predetermined table of hashes that are possible passwords ||
 * dictionary attack || password guessing by using words out of the dictionary ||
 * DEP || Data Execution Prevention ||