看清恶意软件的十张脸 迈出避免问题的第一步

看清恶意软件的十张脸 迈出避免问题的第一步

作者：Michael Kassner
翻译：endurer，2009-08-13 第2版
分类：安全
标签：软件，特洛伊木马，恶意软件，电脑，Vundo，Sony BMG CD Copy Protection Scandal，内核模式，终思，Rootkits

　　如今的复杂IT环境使得电脑恶意软件很容易滋生肆虐。一起来学习，为避免这个问题开个好头罢。

　　用所有不同的术语和定义来试图指明进入电脑的恶意软件是哪些很困难。在开始说事前，让我们对贯穿本文的一些关键术语作个定义：

　　恶意软件：是为在用户未知或未经允许的情况下潜入或危害电脑系统而专门开发的怀有恶意的软件。

　　恶意代码：是恶意程序代码，在软件应用程序开发阶段中产生，并且通常被称为恶意软件的有效载荷。

　　反病毒软件：包括任何与恶意软件战斗的程序。不管它是实时保护的还是检测和删除现有恶意软件。防病毒和防间谍及恶意软件扫描软件都是反恶意软件的例子。

　　重要的是要记住，像对口的生物一样，恶意软件的头号目标是复制。破坏电脑系统，销毁数据，或窃取敏感信息，都是次要的目标。

　　牢记上述定义，让我们来看看10种恶意软件：

1：臭名昭著的电脑病毒

　　电脑病毒是具有感染电脑的能力，但只能依靠其它一些手段来传播的恶意软件。一个真正的病毒在从被感染的电脑传播到非受感染的电脑时，只能通过在二者之间传递的信息中附加某种形式的可执行代码。例如，病毒可能隐藏在一个作为电子邮件附件的PDF文件中。大多数病毒包括以下三个部分：

　　复制器：当宿主程序被激活时，也即病毒和病毒性恶意代码最优先的是传播。
　　隐蔽器：电脑病毒可以采用几种方法中的某一种来躲避反恶意软件。
　　有效功能：电脑病毒的恶意代码有效功能可设计用于做任何事情，从停用电脑的功能到摧毁数据。

　　现在流行的一些电脑病毒例子是W32.Sens.A, W32.Sality.AM, 和 W32.Dizan.F。绝大多数品质好的反病毒软件一旦按特征码文件检测到电脑病毒，就会进行清除。

2：广为流行的电脑蠕虫

　　电脑蠕虫比病毒更狡话诈，无需用户介入就能复制。如果恶意软件使用网络（互联网）来传播，它是蠕虫的可能性高于病毒。蠕虫的主要组成为：

　　渗透工具：恶意代码利用漏洞获取对受害电脑的访问权。
　　安装器：渗透工具使电脑蠕虫透过初始防御机制。此时，安装器接管并将恶意代码主体传送到受害电脑。
　　发现工具：一旦侵入，该蠕虫会使用多种方法来发现网络上的其他电脑，其中包括电子邮箱地址，主机列表，以及DNS查询。
　　扫描器：蠕虫使用扫描器来判断新发现的目标电脑是否有其渗透工具可以利用的漏洞。
　　有效功能：驻留在每台受害电脑中的恶意代码。这可能是从远程访问应用程序到一个用于获取用户名和密码的击键记录器的任何一个。

　　不幸的是这一类的恶意软件是最丰富的，始于1988年的莫里斯蠕虫，沿续到如今的Conficker蠕虫。大多数电脑蠕虫可以用恶意软件扫描器来移除，如MBAM或GMER。

3：未知后门

　　后门与我一直在使用的一些远程访问程序相似。当它们如攻击者所愿未经允许就安装时，则被认为是恶意软件。攻击者使用下列方法：

　　一种安装方法是利用目标电脑的漏洞。

　　另一种渠道是通过社会工程学来诱骗用户安装后门。

　　一旦安装完成，后门程序会让攻击者完全远程控制电脑。SubSeven， NetBus， Deep Throat， Back Orifice 和 Bionet 是臭名昭著的后门程序。像MBAM 和 GMER 这样的恶意软件扫描器通常可以成功移除后门。

4：偷偷摸摸的的特洛伊木马

　　很难给特洛伊木马做出一个比Ed Skoudis 和 Lenny Zelter 在他们的写的书《Malware: Fighting Malicious Code（恶意软件：对抗恶意代码）》中所做的更好的定义了：

　　特洛伊木马是一种程序，看起来似乎有一些用途或良性的目的，但实际掩盖一些隐藏的恶意功能。

　　特洛伊木马恶意软件在安装和程序运行时隐匿破坏性的功能，防止反恶意软件识别出恶意代码。这些隐匿技术包括：

　　改名 把恶意软件改为类似正常文件的名字。
　　腐蚀 安装的反恶意软件在定位到恶意软件时不作反应。
　　使用多态性代码 改变恶意软件特征的速度超过防御软件所能接收到的新签名文件。

　　Vundo是一个最好的例子；它创建一个流氓的反间谍软件程序的弹出广告，降低系统性能，并干扰网页浏览。通常情况下，安装在LiveCD上恶意软件扫描器要检测并删除它。

5：广告/间谍软件：不甚其烦

　　广告软件是一种不经允许就创建弹出广告的软件，它通常作为free software（免费软件？自由软件？）的一个组件来安装。广告软件不仅让人气厌，还显着降低电脑的性能。

　　间谍软件是一种在你不知情的情况下收集你电脑中的信息的软件。free software（免费软件？自由软件？）因具有间谍软件功能而臭名昭著，所以阅读用户协议是非常重要的。索尼BMG光盘的复制保护丑闻可能是最明显的间谍软件例子。

　　

　　绝大多数有品质的反间谍软件程序可以迅速发现不想要的广告软件/间谍软件并从电脑中删除。把定期删除Web浏览器程序的临时文件， Cookie和历史记录的作为预防性维护也不是一个坏主意。

恶意软件大杂烩

　　到目前为止，我们已经讨论的所有恶意软件具有鲜明的特点，使得每一种类型都易于界定。不幸的是，下一个类别不是这种情况。恶意软件开发者已经知道如何从不同类型的恶意软件中组合出最佳功能，企图提高他们的成功率。

　　Rootkits就是这样一个例子，它将木马和后门集成到一块。当他们用这种组合时，攻击者不引起任何怀疑就可以获取远程电脑的访问权。Rootkits是一种更重要的组合威胁，因此，让我们更深入地了解它们。

Rootkits ：完全不同

　　Rootkits完全自成一类，选择修改现有的操作系统而不是像大多数恶意软件那样在应用程序级增加软件。这是重要的，因为它使得反恶意软件的检测更为困难。

　　有几种类型的rootkit，现实中发现的主要有三类：用户模式，内核模式，和固件rootkit 。用户模式和内核模式可能需要一些解释：

　　用户模式：代码访问电脑软件和硬件资源受到限制。在电脑上运行的大部分代码将在用户模式执行。由于访问受限制，在用户模式中的崩溃是可以恢复的。

　　内核模式：代码不受限制地访问电脑中的所有软件和硬件资源。内核模式通常保留给最值得信赖的操作系统功能在内核模式的崩溃是不可恢复的。

6：用户模式rootkits

　　现在认为用户模式rootkits在电脑中以与管理员相同的特权运行。这意味着：

　　用户模式rootkits可以改变进程，文件，系统驱动程序，网络端口，甚至系统服务。

　　用户模式rootkits仍然通过复制所需文件到电脑硬盘来进行安装，在每次系统启动时自动运行。

　　Hacker Defender是用户模式rootkits一个例子。幸运的是Mark Russinovich那众所周知的应用程序rootkit Revealer可以检测出它，以及其他大多数用户模式的rootkit。

7：内核模式rootkits

　　因为运行在用户模式的rootkits可以被发现和清除，rootkit设计者们转变思路法并开发出了内核模式rootkits。内核模式意味着rootkit安装在与操作系统和rootkit检测软件相同的级别。这让rootkit可以不必理会操作系统。

　　不稳定性通常导致无法解释的崩溃或蓝屏，这是内核模式rootkit 的一个弱点。在这一点上，试试GMER可能是一个好主意。GMER是值得信赖的rootkit清除工具之一，有能力对抗像Rustock那样的内核模式rootkit。

8：固件rootkits

　　固件rootkits随着rootkit开发者搞清楚如何让rootkit恶意代码存储在固件中而正逐步提高复杂水平。任何固件都可能被改变，从微处理器代码到PCI扩展卡的固件。这意味着：

　　在关闭电脑时， rootkit将当前恶意代码写入到特定固件中。
　　重启电脑时，rootkit也重新自我安装。
　　即使清除程序发现和消除了固件rootkit，在下一次电脑启动，固件rootkit又会恢复。

9：恶意移动代码

　　尽管恶名未著，恶意移动代码正在迅速成为让恶意软件在电脑上安装的最有效方式。移动代码是这样的软件：

　　从远程服务器获取。
　　通过网络传输。
　　下载到本地系统并执行。

　　移动代码的例子包括JavaScript, VBScript, ActiveX控件, 和Flash动画。移动代码背后的主要想法是活动的内容，这是很容易识别。这是使网页浏览成为交互式体验的动态网页内容。
　　是什么让移动代码的具有恶意呢？无需所有者同意就能安装，或误导用户对该软件的功能。更糟的是，这通常是组合攻击的第一步，与特洛伊木马恶意软件所用的渗透工具相似。此后，攻击者可以安装额外的恶意软件。

　　打击恶意移动代码的最好方式是确保操作系统和所有辅助软件是最新的。

10：混合威胁

　　当恶意软件通过把几种单一目的的恶意软件组合起来，寻求最大危害和有效传播时，就是混合威胁。混合威胁特别值得一提，因为安全专家也不得不承认它们所做的这些事情是最棒的。混合威胁通常可以：

　　利用若干已知漏洞或者甚至创造漏洞。
　　合并替换方法来实现复制。
　　自动执行代码，无需用户的互动。

　　例如，混合威胁恶意软件可能发送一个嵌入特洛伊木马HTML格式的电子邮件信息，附件中的PDF文件则包含着另一种特洛伊木马。一些重出名的混合威胁恶意软件有尼姆达（Nimda）, 红色代码（CodeRed），及 熊熊虫（Bugbear）。

终思

　　是否有可能有效地减少恶意代码造成的危害呢？这里有一些对此问题的最终思考：

　　恶意软件在任何时候都不会很快消失。特别是当它显然可以用来得到很多钱的时候。
　　由于所有反恶意软件应用程序都是极端保守的，注定要失败。
　　操作系统及应用软件的开发者不应容忍软件存在漏洞。
　　电脑使用者需要多多学习如何应对不断变化的软件环境。
　　需要不断强调的是：请务必保持操作系统及应用软件更新。

英文来源：http://blogs.techrepublic.com.com/10things/?p=881&tag=nl.e102

The 10 faces of computer malware
Date: July 17th, 2009
Author: Michael Kassner
Category: 10 things, Security
Tags: Software, Trojan Horse, Malware, Computer, Vundo, Sony BMG CD Copy Protection Scandal, Kernel-mode, Kernel Mode, Final Thought, Rootkits

The complexity of today’s IT environment makes it easy for computer malware to exist, even flourish. Being informed about what’s out there is a good first step to avoid problems.

--------------------------------------------------------------------------------

With all the different terms, definitions, and terminology, trying to figure out what’s what when it comes to computer malware can be difficult. To start things off, let’s define some key terms we’ll use throughout the article:

Malware: Is malicious software that’s specifically developed to infiltrate or cause damage to computer systems without the owners’ knowledge or permission.
Malcode: Is malicious programming code that’s introduced during the development stage of a software application and is commonly referred to as the malware’s payload.
Anti-malware: Includes any program that combats malware, whether it’s real-time protection or detection and removal of existing malware. Antivirus and anti-spyware applications and malware scanners are examples of anti-malware.
It’s important to remember that like its biological counterpart, malware’s number one goal is reproduction. Damaging a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Keeping the above definitions in mind, let’s take a look at 10 types of malware.

Note: This article originally appeared as an entry in our IT Security blog. It is also available as a PowerPoint presentation and as a PDF document in our Downloads Library.

1: The infamous computer virusA computer virus is malware that’s capable of infecting a computer but has to rely on some other means to propagate. A true virus can spread from the infected computer to a non-infected computer only by attaching to some form of executable code that’s passed between them. For example, a virus could be hidden in a PDF file attached to an e-mail message. Most viruses consist of the following three parts:

Replicator: When the host program is activated, so is the virus, and the viral malcode’s first priority is to propagate.
Concealer: The computer virus can employ one of several methods to hide from anti-malware.
Payload: The malcode payload of a virus can be purposed to do just about anything, from disabling computer functions to destroying data.
Some examples of computer viruses currently in the wild are W32.Sens.A, W32.Sality.AM, and W32.Dizan.F. Most quality antivirus software will remove a computer virus once the application has its signature file.

2: The ever-popular computer wormComputer worms are more sophisticated than viruses, being able to replicate without user intervention. If the malware uses networks (Internet) to propagate, it’s a worm rather than a virus. The main components of a worm are:

Penetration tool: Malcode that leverages vulnerabilities on the victim computer to gain access.
Installer: The penetration tool gets the computer worm past the initial defense mechanism. At that point, the installer takes over and transfers the main body of malcode to the victim.
Discovery tool: Once settled in, the worm uses several methods to discover other computers on the network, including e-mail addresses, Host lists, and DNS queries.
Scanner: The worm uses a scanner to determine if any of the newly found target computers are vulnerable to the exploits available in its penetration tool.
Payload: Malcode that resides on each victim’s computer. This could be anything from a remote access application to a key logger used to capture user names and passwords.
This category of malware is unfortunately the most prolific, starting with the Morris worm in 1988 and continuing today with the Conficker worm. Most computer worms can be removed by using malware scanners, such as MBAM or GMER.

3: The unknown backdoorBackdoors are similar to the remote access programs many of us use all the time. They’re considered malware when installed without permission, which is exactly what an attacker wants to do, by using the following methods:

One installation method is to exploit vulnerabilities on the target computer.
Another approach is to trick the user into installing the backdoor through social engineering.
Once installed, backdoors allow attackers complete remote control of the computer under attack. SubSeven, NetBus, Deep Throat, Back Orifice, and Bionet are backdoors that have gained notoriety. Malware scanners, like MBAM and GMER, are usually successful at removing backdoors.

4: The secretive Trojan horseIt’s difficult to come up with a better definition for Trojan horse malware than Ed Skoudis and Lenny Zelter did in their book Malware: Fighting Malicious Code:

“A trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality.”

Trojan horse malware cloaks the destructive payload during installation and program execution, preventing anti-malware from recognizing the malcode. Some of the concealment techniques include:

Renaming the malware to resemble files that are normally present.
Corrupting installed anti-malware to not respond when malware is located.
Using Polymorphic code to alter the malware’s signature faster than the defensive software can retrieve new signature files.
Vundo is a prime example; it creates popup advertising for rogue anti-spyware programs, degrades system performance, and interferes with Web browsing. Typically, a malware scanner installed on a LiveCD is required to detect and remove it.

5: Adware/spyware: more than an annoyanceAdware is software that creates popup advertisements without your permission. Adware usually gets installed by being a component of free software. Besides being irritating, adware can significantly decrease computer performance.
Spyware is software that collects information from your computer without your knowledge. Free software is notorious for having spyware as a payload, so reading the user agreement is important. The Sony BMG CD copy protection scandal is probably the most notable example of spyware.
Most quality anti-spyware programs will quickly find unwanted adware/spyware and remove it from the computer. It’s also not a bad idea to regularly remove temp files, cookies, and browsing history from the Web browser program as preventative maintenance.

Malware stew
Up until now, all the malware discussed has distinctive characteristics, making each type easy to define. Unfortunately, that’s not the case with the next categories. Malware developers have figured out how to combine the best features from different types of malware in an attempt to improve their success ratio.

Rootkits are an example of this, integrating a Trojan horse and a backdoor into one package. When they’re used in this combination, an attacker can gain access to a computer remotely without raising any suspicion. Rootkits are one of the more important combined threats, so let’s take a deeper look at them.

Rootkits: Completely different
Rootkits are in a class all their own, choosing to modify the existing operating system instead of adding software at the application level, like most malware. That’s significant, because it makes detection by anti-malware much more difficult.

There are several types of rootkits, but three make up the vast majority of those seen in the wild: user-mode, kernel-mode, and firmware rootkits. User-mode and kernel-mode may need some explanation:

User-mode: Code has restricted access to software and hardware resources on the computer. Most of the code running on your computer will execute in user mode. Due to the restricted access, crashes in user-mode are recoverable.
Kernel-mode: Code has unrestricted access to all software and hardware resources on the computer. Kernel mode is generally reserved for the most trusted functions of the operating system. Crashes in kernel-mode aren’t recoverable.
6: User-mode rootkitsIt’s now understood that user-mode rootkits run on a computer with the same privileges reserved for administrators. This means that:

User-mode rootkits can alter processes, files, system drivers, network ports, and even system services.
User-mode rootkits remain installed by copying required files to the computer’s hard drive, automatically launching with every system boot.
Hacker Defender is one example of a user-mode rootkit. Luckily Mark Russinovich’s well-known application Rootkit Revealer can detect it, as well as most other user-mode rootkits.

7: Kernel-mode rootkitsSince rootkits running in user-mode can be found and removed, rootkit designers changed their thinking and developed kernel-mode rootkits. Kernel-mode means the rootkit is installed at the same level as the operating system and rootkit detection software. This allows the rootkit to manipulate the operating system to a point where the operating system can no longer be trusted.

Instability is the one downfall of a kernel-mode rootkit, typically leading to unexplained crashes or blue screens. At that point, it might be a good idea to try GMER. It’s one of a few trusted rootkit removal tools that has a chance against kernel-mode rootkits, like Rustock.

8: Firmware rootkitsFirmware rootkits are the next step up in sophistication, with rootkit developers figuring out how to store rootkit malcode in firmware. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. This means that:

When the computer is shut down, the rootkit writes the current malcode to the specified firmware.
Restart the computer and the rootkit reinstalls itself.
Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

9: Malicious mobile codeIn relative anonymity, malicious mobile code is fast becoming the most effective way to get malware installed on a computer. Mobile code is software that’s:

Obtained from remote servers.
Transferred across a network.
Downloaded and executed on a local system.
Examples of mobile code include JavaScript, VBScript, ActiveX controls, and Flash animations. The primary idea behind mobile code is active content, which is easy to recognize. It’s the dynamic page content that makes Web browsing an interactive experience.

What makes mobile code malicious? Installing it without the owner’s permission or misleading the user as to what the software does. To make matters worse, it’s usually the first step of a combined attack, similar to the penetration tool used by Trojan horse malware. After that, the attacker can install additional malware.

The best way to combat malicious mobile code is to make sure that the operating system and all ancillary software are up to date.

10: Blended threatMalware is considered a blended threat when it seeks to maximize damage and propagate efficiently by combining several pieces of single-intentioned malcode. Blended threats deserve special mention, as security experts grudgingly admit they’re the best at what they do. A blended threat typically can:

Exploit several known vulnerabilities or even create vulnerabilities.
Incorporate alternate methods for replicating.
Automate code execution, which eliminates user interaction.
Blended threat malware, for example, may send an HTML e-mail message containing an embedded Trojan horse along with a PDF attachment containing a different type of Trojan horse. Some of the more famous blended threats are Nimda, CodeRed, and Bugbear. Removing blended threat malware from a computer may take several pieces of anti-malware, as well as using malware scanners installed on a LiveCD.

《endurer注：1、Nimda - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Nimda

2、Code Red (computer worm) - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Code_Red_(computer_worm)
3、Bugbear - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Bugbear》

Final thoughts
Is it even possible to reduce the harmful effect malware causes? Here are a few final thoughts on that subject:

Malware isn’t going away any time soon. Especially when it became evident that money, lots of money, can be made from its use.
Since all anti-malware applications are reactionary, they are destined to fail.
Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment.
It can’t be stressed enough: Please be sure to keep operating system and application software up to date.