Wednesday, December 24, 2014

True story and some information about Viruses.

I'm NOT a computer expert but I'm definitely not "ignorant" about how they work.  A few years back I ran into a bit of problems with someone that was using, had gained access, to my PCs.  I put in numerous anti-viruses to try and get the viruses out of them.  I tried every anti-virus that I could find!  It was that bad!  After all of the anti-viruses that I put into my PCs failed, I decided to "delete" the entire HDs.  After I deleted the entire HDs, big mistake on my part, it hit me that I'd need the information that was on them for legal purposes.  Thinking that a forensic lab could go into the HDs, bring up what I had deleted, I took them both to a State Police Station for their PC expert to look at them.  When the time came to pick them up, to my surprise, I was told that one HD was "ruined" to the point that they couldn't do anything with it.  I was asked if it had been exposed to a chemical...It hadn't been.  I did the same exact thing with both HDs; deleted them and placed them in clean bags.  I was told that the other HD had very little on it and it appeared to be NEW.  Unbelievable to me!  The forensic lab found a few "somethings" on it but not everything that had been deleted!  Granted that after that, I came to the conclusion that even what we might think are "professionals" at something, aren't always "accurate" at it.  

Here is some information about viruses. 

PS:  Don't ever download anything that will give someone remote access to your PC(sub seven).  Explained in Key logging.   




Key logging:

http://en.wikipedia.org/wiki/Keystroke_logging

Trojan horse(Virus):

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

Timeline of PC viruses:  

http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms#2000.E2.80.932009

2004:  Late January: The MyDoom worm emerges, and currently holds the record for the fastest-spreading mass mailer worm.
  • February 16: The Netsky worm is discovered. The worm spreads by email and by copying itself to folders on the local hard drive as well as on mapped network drives if available. Many variants of the Netsky worm appeared.
  • March 19: The Witty worm is a record-breaking worm in many regards. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm, it was the first internet worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts.
  • May 1: The Sasser worm emerges by exploiting a vulnerability in the Microsoft Windows LSASS service and causes problems in networks, while removing MyDoom and Bagle variants, even interrupting business.
  • June 15: Caribe or Cabir is a computer worm that is designed to infect mobile phones that run Symbian OS. It is the first computer worm that can infect mobile phones. It spread itself through Bluetooth. More information can be found on F-Secure[33] and Symantec.[34]
  • August 16: Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan that infects Windows NT family systems (Windows 2000, Windows XP, Windows 2003).[35]
  • August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a trojan known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehaviour including performance degradation and denial of service with some websites including Google and Facebook.[36]
  • October 12: Bifrost, also known as Bifrose, is a backdoor trojan which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attack.[37]
  • December: Santy, the first known "webworm" is launched. It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading.


2005[edit]
  • August 2005: Zotob
  • Late 2005: The Zlob Trojan, is a trojan horse which masquerades as a required video codec in the form of the Microsoft Windows ActiveX component. It was first detected in late 2005.[38]
  • Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / kernel patching to bypass the firewall, and let the server component hijack processes and gain rights for accessing the Internet.

2006[edit]
  • January 20: The Nyxem worm was discovered. It spread by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files.
  • February 16: discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced.
  • Late March: Brontok variant N was found in late March.[39] Brontok was a mass-email worm and the origin for the worm was from Indonesia.
  • Late September: Stration or Warezov worm first discovered.

2007[edit]
  • January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, and it had compromised between 1 and 10 million computers by September.[40] Thought to have originated from Russia, it disguises itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film.
  • July: Zeus is a trojan that targets Microsoft Windows to steal banking information by keystroke logging.

2008[edit]
  • February 17: Mocmex is a trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame. The virus was traced back to a group in China.[41]
  • March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse that affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer.[42]
  • May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least.[43]


botnet

Zeus (Trojan horse):   ZeuS, or Zbot is Trojan horse computer malware that runs on versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information

http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)the SpyEye trojan

Stealth strategies[edit]
In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes.[citation needed]
Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example, the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.[36]
Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.[citation needed]
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.[citation needed]
Read request intercepts[edit]
While some antivirus software employ various techniques to counter stealth mechanisms, once the infection occurs any recourse to clean the system is unreliable. In Microsoft Windows operating systems, the NTFS file system is proprietary. Direct access to files without using the Windows OS is undocumented. This leaves antivirus software little alternative but to send a read request to Windows OS files that handle such requests. Some viruses trick antivirus software by intercepting its requests to the OS. A virus can hide itself by intercepting the request to read the infected file, handling the request itself, and return an uninfected version of the file to the antivirus software. The interception can occur by code injection of the actual operating system files that would handle the read request. Thus, an antivirus software attempting to detect the virus will either not be given permission to read the infected file, or, the read request will be served with the uninfected version of the same file.[37]
The only reliable method to avoid stealth is to boot from a medium that is known to be clean. Security software can then be used to check the dormant operating system files. Most security software relies on virus signatures, or they employ heuristics.[citation needed]
Security software may also use a database of file hashes for Windows OS files, so the security software can identify altered files, and request Windows installation media to replace them with authentic versions. In older versions of Windows, file hashes of Windows OS files stored in Windows—to allow file integrity/authenticity to be checked—could be overwritten so that the System File Checker would report that altered system files are authentic, so using file hashes to scan for altered files would not always guarantee finding an infection.[citation needed]
Self-modification[edit]
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. Unfortunately, the term is misleading, in that viruses do not possess unique signatures in the way that human beings do. Such a virus signature is merely a sequence of bytes that an antivirus program looks for because it is known to be part of the virus. A better term would be "search strings". Different antivirus programs will employ different search strings, and indeed different search methods, when identifying viruses. If a virus scanner finds such a pattern in a file, it will perform other checks to make sure that it has found the virus, and not merely a coincidental sequence in an innocent file, before it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

http://en.wikipedia.org/wiki/Computer_virus#Stealth_strategies


http://en.wikipedia.org/wiki/Application_programming_interface

http://www.mysql.repairtoolbox.com

http://lifehacker.com/393084/how-to-recover-deleted-files-with-free-software


http://www.linux.com/news/enterprise/storage/8257-how-to-recover-lost-files-after-you-accidentally-wipe-your-hard-drive
Posted by at

No comments:

Post a Comment