Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

DADA/Articles/st34_Antivirus.md

Go to file
 
 
Cannot retrieve contributors at this time
Malware and Antivirus Types of Malware Viruses Worms Trojans Antivirus
94 lines (73 sloc) 4.42 KB
Raw Blame
Open in GitHub Desktop

Malware and Antivirus

"Antivirus" refers to software used to detect and remove malicious software, particularly Worms and Viruses. LD comment: If we define ‘Worms’, ‘Virus’ and ‘Trojan’ in Week 6, Step 23 – we can remind students of these terms again, or add them to the glossary.

This malicious software, known as "malware", can be installed on a system in a number of ways and can have many purposes. Below, we will look at the ways in which these kinds of malware spread. As for their purpose, it depends on the creator. Some malware steals personal data, payment details and so on. Others will encrypt files and ask for a ransom to be paid in order to decrypt them again, or maybe the creator just wants to have control over your system to be able to use it in attacks on larger targets along with potentially thousands of other infected devices. For the past few years, the number of infections that result in nothing more than the stealing of CPU time for mining cryptocurrencies has been growing steadily - hackers are literally stealing your computing power.

The total number of individual malware strains is difficult to know because new ones are discovered regularly, but published detection rates show that the problem is serious. In 2017, Kaspersky announced that their antivirus software detected around 360,000 malicious files daily.

https://www.kaspersky.com/about/press-releases/2017_kaspersky-lab-detects-360000-new-malicious-files-daily

Types of Malware

Viruses

A virus is a piece of malware that spreads by inserting its own code into other files. For example, you might download software from the Internet, or receive files from a colleague on a USB disk that have been infected. When you inadvertently activate the virus code by using the transferred files, some extra computation happens in addition to what you expect. You might open a document and not notice anything untoward, but in the background, the virus is inserting itself into other files on your system so that when you send these to another party, they too will become infected.

The virus does not spread without transfer of files, just like a biological virus requires host cells to replicate.

Worms

A worm spreads differently to a virus, even if it's actual function (the payload) is the same. Instead of relying on file transfers, a worm actively seeks new hosts. Usually this is through simply scanning the Internet for targets. When a new host is found, the worm sends a copy of itself and the cycle continues.

An important point about this method of propagation is that it requires a vulnerability of some sort in the host. Usually, a computer system would not accept software sent directly to it and then execute what it receives. The worm has to make use of some misconfiguration or software flaw that allows this to happen.

Trojans

Another way malware is installed on a system is through downloading and installing software that has either built-in malware or comes bundled with it. Not all software is created with benign intent, and a number of "free" pieces of software have turned out to contain nefarious code.

Antivirus

Antivirus products work by detecting malicious code and then either quarantining or deleting it.

There are two main methods employed by antivirus software to detect malicious code, and any given antivirus program might use one or both.

Behaviour analysis monitors how software functions and what actions it takes. A set of rules are defined for what "looks suspicious" and when any code meets the criteria it is flagged. The benefit of this kind of detection is that it can find previously unseen malware, but unfortunately it can be tricked by malware creators and also can suffer from false positives - benign software flagged as something malicious.

Signature-based detection uses a database of code snippets that come from known viruses. The antivirus software can check all code to see if these snippets are present, suggesting a virus, worm or other malware is installed. This kind of detection requires a database of all known malware signatures, which is hard to maintain. Modern antivirus using this method rely on constantly updated databases that are sent out regularly and automatically to users' systems. There are types of malware that can't be detected by signature based systems because they adjust their code whenever they duplicate - a technique known as "metamorphic code".