The term rootkit is used to describe the mechanisms and techniqueswhereby malware, including viruses, spyware, and trojans, attempt tohide their presence from spyware blockers, antivirus, and systemmanagement utilities. There are several rootkit classificationsdepending on whether the malware survives reboot and whether it executesin user mode or kernel mode.
How to hide the windows while running the virus code
These discrepancies are the ones exhibited by most rootkits; however, ifyou haven't checked the Hide NTFS metadata files you should expect tosee a number of such entries on any NTFS volume, since NTFS hides itsmetada files, such as $MFT and $Secure, from the Windows API. Themetadata files present on NTFS volumes vary by version of NTFS and theNTFS features that have been enabled on the volume. There are alsoantivirus products, such as Kaspersky Antivirus, that use rootkittechniques to hide data they store in NTFS alternate data streams. Ifyou are running such a virus scanner you'll see a Hidden from WindowsAPI discrepancy for an alternate data stream on every NTFS file.RootkitRevealer does not support output filters because rootkits cantake advantage of any filtering. Finally, if a file is deleted during ascan you may also see this discrepancy.
Key name contains embedded nulls.The Windows API treats key names as null-terminated strings, whereas thekernel treats them as counted strings. Thus, it is possible to createRegistry keys that are visible to the operating system, yet onlypartially visible to Registry tools like Regedit. TheReghide sample codeat Sysinternals demonstrates this technique, which is used by bothmalware and rootkits to hide Registry data. Use the SysinternalsRegDelNullutility to delete keys with embedded nulls.
Data mismatch between Windows API and raw hive data.This discrepancy will occur if a Registry value is updated while theRegistry scan is in progress. Values that change frequently includetimestamps such as the Microsoft SQL Server uptime value, shown below,and virus scanner "last scan" values. You should investigate anyreported value to ensure that its a valid application or system Registryvalue.
A trojan horse is a malicious software program that hides inside other programs. It enters a computer hidden inside a legitimate program, such as a screen saver. Then it puts code into the operating system that enables a hacker to access the infected computer. Trojan horses do not usually spread by themselves. They are spread by viruses, worms, or downloaded software.
If you're running Windows in S mode it's streamlined for tighter security, so the Virus & threat protection area has fewer options than those described here. This is because the built-in security of Windows in S mode automatically prevents viruses and other threats from running on your device.
A computer virus[1] is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs.[2][3] If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses. [4]
Computer viruses generally require a host program.[5] The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage. A computer worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program, but can run independently and actively carry out attacks.[6][7]
The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in the early 1970s.[17] Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971.[18] Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system.[19] Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'M THE CREEPER. CATCH ME IF YOU CAN!" was displayed.[20] The Reaper program was created to delete Creeper.[21]
A computer virus generally contains three parts: the infection mechanism, which finds and infects new files, the trigger, which determines when to activate the payload, and the payload, which is the malicious code to execute.[34]
A memory-resident virus (or simply "resident virus") installs itself as part of the operating system when executed, after which it remains in RAM from the time the computer is booted up to when it is shut down. Resident viruses overwrite interrupt handling code or other functions, and when the operating system attempts to access the target file or disk sector, the virus code intercepts the request and redirects the control flow to the replication module, infecting the target. In contrast, a non-memory-resident virus (or "non-resident virus"), when executed, scans the disk for targets, infects them, and then exits (i.e. it does not remain in memory after it is done executing).[45]
Many common applications, such as Microsoft Outlook and Microsoft Word, allow macro programs to be embedded in documents or emails, so that the programs may be run automatically when the document is opened. A macro virus (or "document virus") is a virus that is written in a macro language and embedded into these documents so that when users open the file, the virus code is executed, and can infect the user's computer. This is one of the reasons that it is dangerous to open unexpected or suspicious attachments in e-mails.[46][47] While not opening attachments in e-mails from unknown persons or organizations can help to reduce the likelihood of contracting a virus, in some cases, the virus is designed so that the e-mail appears to be from a reputable organization (e.g., a major bank or credit card company).
The most common way of transmission of computer viruses in boot sector is physical media. When reading the VBR of the drive, the infected floppy disk or USB flash drive connected to the computer will transfer data, and then modify or replace the existing boot code. The next time a user tries to start the desktop, the virus will immediately load and run as part of the master boot record.[50]
To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes.[52] Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example, the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.[53] Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them (for example, Conficker). A Virus may also hide its presence using a rootkit by not showing itself on the list of system processes or by disguising itself within a trusted process.[54] In the 2010s, as computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.[citation needed]
While some kinds of antivirus software employ various techniques to counter stealth mechanisms, once the infection occurs any recourse to "clean" the system is unreliable. In Microsoft Windows operating systems, the NTFS file system is proprietary. This leaves antivirus software little alternative but to send a "read" request to Windows files that handle such requests. Some viruses trick antivirus software by intercepting its requests to the operating system. A virus can hide by intercepting the request to read the infected file, handling the request itself, and returning an uninfected version of the file to the antivirus software. The interception can occur by code injection of the actual operating system files that would handle the read request. Thus, an antivirus software attempting to detect the virus will either not be permitted to read the infected file, or, the "read" request will be served with the uninfected version of the same file.[55]
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures.[59] Different antivirus programs will employ different search methods when identifying viruses. If a virus scanner finds such a pattern in a file, it will perform other checks to make sure that it has found the virus, and not merely a coincidental sequence in an innocent file, before it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.[citation needed]
One method of evading signature detection is to use simple encryption to encipher (encode) the body of the virus, leaving only the encryption module and a static cryptographic key in cleartext which does not change from one infection to the next.[60] In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that finding some may be reason enough for virus scanners to at least "flag" the file as suspicious.[citation needed] An old but compact way will be the use of arithmetic operation like addition or subtraction and the use of logical conditions such as XORing,[61] where each byte in a virus is with a constant so that the exclusive-or operation had only to be repeated for decryption. It is suspicious for a code to modify itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.[citation needed] A simpler older approach did not use a key, where the encryption consisted only of operations with no parameters, like incrementing and decrementing, bitwise rotation, arithmetic negation, and logical NOT.[61] Some viruses, called polymorphic viruses, will employ a means of encryption inside an executable in which the virus is encrypted under certain events, such as the virus scanner being disabled for updates or the computer being rebooted.[62] This is called cryptovirology. 2ff7e9595c
Comments