•One method of classifying various types of malware is using four primary traits thatmalware possesses:–Circulation -Some malware has primary trait of spreading rapidly to othersystems to impact large number users–Infection –Some malware has primary trait of “infect” or embed itself into thatsystem•Concealment -Some malware has as its primary trait avoiding detection by concealing itspresence from scanners•Payload capabilities -When payload capabilities are the primary focus of malware, thefocus is on what nefarious action(s) the malware performsVirus Types•Computer virus- Malicious computer code that reproduces itself on the same computer•Program virus- Virus that infects an executable program file•Macro virus- One of most common data file viruses written in a script known as amacro (macrois series of instructions that can be grouped together as single command)Armored Virus•Different virus infection methods•One common type isappenderinfection:–Virus appends itself to end of a file–Replaces beginning of file with jump instruction pointing to the virus code•Armored virus- Viruses that go to great lengths to avoid detection•Swiss cheese infection– Encrypts virus code and then divide decryption engine intodifferent pieces and inject these pieces throughout the infected program code•Split infection- Viruses split the malicious code itself into several parts:–Also has one main body of code–All parts are placed at random positions throughout the program code•To make detection even more difficult these parts may contain unnecessary “garbage”code to mask their true purposeVirus Actions•When infected program is launched it activates its malicious payload•Viruses may display an annoying message but usually much more harmful Show
A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or "morph," making it difficult to detect with antimalware programs. Evolution of the malicious code can occur in a variety of ways such as filename changes, compression and encryption with variable keys. How polymorphic viruses workAlthough the appearance of the code in a polymorphic virus varies with each "mutation," the essential function usually remains the same. For example, a spyware program intended to act as a keylogger will continue to perform that function even though its signature changes. If the spyware program is discovered by an antimalware program and its signature is added to a downloadable database, the antimalware program will fail to detect the rogue code after the signature changes, just as if a new spyware program has emerged. In this way, malware creators gain an advantage over security vendors that use traditional signature-based detection to find and block malicious code. How polymorphic code is generatedPolymorphic code typically uses a mutation engine that accompanies the underlying malicious code. The mutation engine doesn't change the underlying code; instead, the engine generates new decryption routines for the code. The mutation engine can also alter the file names of the polymorphic code. As a result, each time the code is installed on a new device or system, the mutation engine generates a brand new decryption routine. A polymorphic virus includes an encrypted payload and a mutation engine. The encryption hides the malicious payload from scanners and threat detection software, which are left to identify the virus by its decryption routine. Once the virus is installed on a target, the payload is decrypted and it infects the system; the mutation engine randomly creates a new decryption routine so that when the virus moves to the next target, it appears to be a different file to scanners. Examples of polymorphic virusesWhile polymorphic viruses have become increasingly common in the 21st century as antimalware and threat detection technology has improved, they existed well before that. The first known polymorphic virus was called 1260, or V2PX, and it was created in 1990 as part of a research project. The author, computer researcher Mark Washburn, wanted to demonstrate the limitations of virus scanners at that time. Nonresearch polymorphic viruses began to emerge soon after Washburn's project. Two early examples -- the Tequila and Maltese Amoeba viruses -- were discovered in Europe in 1991. More recent examples of polymorphic viruses and malware have demonstrated increased sophistication. The Storm Worm, which featured a backdoor Trojan, was first discovered in 2007. The worm spread via malicious email messages and, once the Trojan executed, it would turn systems or devices into bots. The Storm Worm featured a polymorphic packer, which is similar to a polymorphic engine; a packer can contain several different variants of malware in a single item such as an email attachment. The worm's polymorphic packer would change every 10 to 30 minutes, depending on the version, in order to avoid detection. The Virlock ransomware family, which was first discovered in 2014, is considered the first instance of polymorphic ransomware. The virus's decryption codes were randomly generated each time the virus spread to and executed on a new file. The Virlock ransomware not only infects files, but also turns them into polymorphic file infectors; when an infected file is sent to or shared with another user, the Virlock ransomware executes and infects the new user's files. Once the infection is completed, the mutation engine changes the packer containing the malware body. Detection and preventionMost conventional antivirus and threat detection products rely on signature-based detection, which can be fooled by polymorphic viruses. However, newer security technologies employ machine learning and behavior-based analytics rather than signature detection. Machine learning algorithms focus on anomalous behavior of unknown programs as well as other static characteristics such as file names and API calls. The best approach for defending against polymorphic viruses is to employ multiple and diverse layers of information security measure such as antimalware software and threat detection. These programs should be kept current and should be run as often as possible. Auto-protect features, if available, should also be enabled. This was last updated in December 2017 Continue Reading About polymorphic virus
Dig Deeper on Threats and vulnerabilities
Which type of mutation completely changes a virus from its original form by rewriting its own code whenever it is executed?Polymorphic malware - Completely changes from its original form whenever it is executed. Metamorphic malware - Can actually rewrite its own code and thus appears different each time it is executed.
Which type of mutational malware changes its code to mask the presence of the malware?Polymorphic malware pairs a mutation engine with self-propagating code to continually change its “appearance,” and it uses encryption (or other methods) to hide its code.
What type of malware consists of a set of software tools used by an attacker to hide?A Trojan horse, commonly known as a “Trojan,” is a type of malware that disguises itself as a normal file or program to trick users into downloading and installing malware. A Trojan can give a malicious party remote access to an infected computer.
Which malware type can change code and signature patterns with each iteration?Polymorphic malware uses an encryption key to change its shape and signature. It combines a mutation engine with self-propagating code to change its appearance continuously and rapidly morph its code.
|
Which type of mutating malware changes its internal code to one of a set number of predefined mutations whenever it is executed?
zusammenhängende Posts
Urheberrechte © © 2024 toptenid.com Inc.
