Viruses (OBJ 1.2)

-: The first type of malware that we're going to discuss is a virus. A computer virus is simply made up of malicious code that's run on a machine without the user's knowledge. And this code allows it to infect the computer whenever it's being run. Now, what does this look like in the real world? Well, maybe you've gone to download a new game from a website, and when you download that installation file inside of it there may have been some malicious code. When you run the program to install it, you're allowing the code to be installed on your machine and that virus now can take hold. At this point, the virus is going to want to reproduce and spread and it does this because you have taken a user action. In this example, you installed the program and that allowed the code to be run and the virus to start doing its nefarious things. This allows it to begin to replicate and spread across your network. Now, the Security+ exam is going to separate viruses into 10 different types. We have boot sector, macro, program, multipartite, encrypted, polymorphic, metamorphic, stealth, armor, and hoax. The first one we're going to talk about is a boot sector virus. A boot sector virus is one that's stored in the first sector of a hard drive and is loaded into memory whenever the computer boots up. These are actually very difficult to detect because they're installed before the operating system boots up. And so your antivirus that you have inside your Windows or your Mac machine is not going to be able to find these boot sector viruses very easily. Instead, you have to use an antivirus that specifically looks for boot sector viruses. Next we have macros. Macros are a form of code that allows a virus to be embedded inside another document. And when that document is opened by the user, that virus then is executed. The most common examples of macros are ones that are found inside Word documents or Excel spreadsheets, or PowerPoint presentations. By default, macros aren't malicious. Actually, macros are used out there as a way for you to do a lot of good functions in a very short period of time. For example, I have a macro that I use within Microsoft Excel that allows me to do quicker calculations. That is a piece of code that works properly, but because we have the ability to add code to these Office documents, bad guys can also add malicious codes to those documents. And that's exactly what a macro virus does. The next type of virus is a program virus. Program viruses seek out executables or application files to infect. For example, if you went and loaded a virus and was able to install itself into your Microsoft Word program, every time you opened up Word you'd be loading that virus again and again. And that's why a program virus targets programs. The next type of virus we have is a multipartite. A multipartite virus is a combination of a boot sector type virus and a program virus. By using this combination, the virus is able to place itself in the boot sector and be loaded every time the computer boots. And by doing so, it can then install itself in a program where it can be run each and every time the computer starts up. This allows it to have a persistence and be able to be there over and over again. So even if you're able to find the program part of the virus and clean it out from within Windows, you may not be able to see the boot sector part. And the next time you reboot it reinstalls into Windows, infecting you again. Another way that viruses try to hide themselves is by using encryption. And when you have an encrypted virus, this virus is going to use a cipher to encrypt the contents of itself to avoid detection by any antivirus software. Because our antivirus providers are getting better and better all the time at understanding viruses and how they work and how to stop them, encrypted viruses are making it harder for antivirus makers to find these type of viruses. And so again, this is one of those things of the good guys get better so the bad guys get better. And then the good guys get better and then the bad guys get better. And this brings us to our next one. A polymorphic virus. A polymorphic virus is an advanced version of an encrypted virus. But instead of just encrypting the contents, it's actually going to change its code each time it's executed by altering the decryption module in order for it to evade detection. Now, I know this sounds really complicated, but what it's doing is it's trying to morph the way its code looks so that a signature-based antivirus can't detect it anymore. Like I said, it's basically a more complicated version of an encrypted virus that allows it to stay in your system longer and remain undetected. Metamorphic viruses are able to rewrite themselves entirely before it attempts to infect a file. And essentially, this is an advanced version of a polymorphic virus. And so we went from encrypted to polymorphic to now metamorphic. Next we have stealth viruses. And these aren't necessarily a specific type of virus as much as a category of a virus protecting itself. When we talked about encrypted and polymorphic and metamorphic viruses, these are all examples of stealth viruses. They're viruses that are using various different techniques to avoid detection by an antivirus software. Next we have armored viruses. And armored viruses have a layer of protection to confuse a program or a person who's trying to analyze it. Again, this is another way that the virus is trying to protect itself and increase its odds of being able to spread to other users without being detected. The final category of virus that we have is what's known as a hoax. Now, a hoax is actually not a virus in the traditional sense. Instead, when we get a virus hoax, we're trying to trick a user into infecting their own machine. This might come in the form of a message or a website that pops up. It may be that we call them on the phone and pretend that we're from Microsoft tech support and tell them that their machine has been infected. And if they just follow our steps, we'll help them get rid of it. Usually this is part of something as somebody's game, somebody thinks it's a joke, or someone's trying to trick them out of money. Regardless, when you get a virus hoax, you really don't have a virus unless you follow through with doing the things that the virus hoax tells you to do, like installing this type of program to remove the virus. Or allowing remote access to your machine so somebody from tech support can clean it up for you. Either way, this is a form of social engineering where they're just trying to trick you. And when you actually try to help by giving them access or installing the program, instead you're actually putting the malicious code on your machine yourself. So beware of hoax viruses.