Вы находитесь на странице: 1из 8

Owens 1

Savannah Owens
Connie Douglas
ENGL 2116-007
09 November 2016
How to Detect and Destroy Computer Viruses and Malware
Introduction
Over many years now, computer viruses and malware have been a repeating issue to all
computers. What is a computer virus and what is malware? A computer virus is malware that,
when executed, tries to replicate itself into other executable code; when it succeeds, the code is
said to be infected (Aycock 14). Malware is software whose intent is malicious, or whose effect
is malicious (Aycock 2). Most of the time, viruses are sent out for bad intention. Hackers have
some kind of purpose behind the viruses and malware put into computers. Whether it is to steal
someones information, or hack into a company. There are so many different kinds of viruses and
malware out there that it nearly impossible to find all of them. The list goes on for some time.
This report will first cover the basics of understanding what the different kinds of viruses
and malware are in order to be able to recognize them. Once a virus is recognized, detection will
be the next step. Detecting the type of virus is very important, so then action can be taken on
how to destroy this virus with the best solution there is. Therefore, the main processes are
detecting the virus, identifying what kind of virus it is, and then disinfecting this virus. This
specific technique is performed by an anti-virus software system. Four major threats in the
computer world are spam, bugs, denial of service, and malicious software.

Owens 2

Four Key Threats


Spam is often described as an abundance of unwanted bulk emails that outbreak the
mailboxes of internet users all around the world. Statistics suggest that over seventy percent of
email traffic currently falls under the category of spam (Aycock 1). Apparently, attackers have
found convenience in co-operating with spammers by using these email lists to send mass
quantities of spam, which usually contains other malware attached to the email. Bugs are errors
in the software that can easily just kill off the software immediately. Bugs can also result in data
corruption, security weaknesses, and hard-to-find problems. (Aycock 1) Denial of service is an
attack that can use up all available disk space on a system thus other users cannot make use of it
(Aycock 2). This problem causes traffic on the network so real traffic on the network cannot get
through which is a denial of service. The last key threat is malicious software. This is one of the
main threat that is struggled with today. It is software whose main intension is malicious or effect
is malicious (Aycock 2). It covers a wide variety of threats like viruses, worms, Trojan horses,
and spyware. Malware has a big connection to all these threats, so addressing so addressing this
is important to improve our computer society.
Malware Types
Malware has become the greatest external threat to most systems, causing damage and
requiring extensive recovery efforts within most organizations (Mell, Kent and Nusbaum 2-11).
Malware can be broken into types according to the malwares method of operation. It has
multiple major categories which are viruses, worms, Trojan horses, malicious mobile code,
blended attacks, tracking cookies, attacker tools, backdoors, keystroke loggers, rootkits, web
browser plug-ins, e-mail generators, and attacker toolkits (Mell, Kent and Nusbaum 2-12). Antivirus is capable of detecting all of these types of malware. There are three pretty common types

Owens 3

and the first one of those is a logic bomb which consists of two parts, payload and trigger. A
payload is the action to perform that has the implication of having a malicious effect. A trigger is
a Boolean condition that evaluates and controls when the payload is executed. An exact trigger is
limited by the imagination. Logic bombs can be inserted into code that already exists or it could
be standalone. Another type of malware is a Trojan horse which is a program that appears
harmless in the task it is completing, but really it secretly performs an additional malicious task.
One last example is a back door. This is mechanism that bypasses a normal security check.
Similar to logic bombs, back doors can be placed into actual code or they can be standalone.
Viruses
A computer virus has three parts which are infection mechanism, trigger, and payload.
The infection mechanism is how the virus spreads, which is done by modifying other code to
contain the virus. The trigger is where it is decided whether the payload should be delivered or
not. Payload is what the virus does, this might include intentional or accidental damage.
Accidental damage can happen from bugs that are in the virus or maybe multiple viral infections
that were unanticipated. Infection is one of the most important characters in defining a virus, the
trigger and payload are optional. An infection is performed by selecting a target and infecting it.
Some targets that are locally accessible might include code that is in shared network directories.
Viruses can be classified in many different ways, but our main focus here is detecting the virus
and being able to destroy the virus (Aycock 27).
Detection
Detection is one of the most important tasks in taking steps to remove a virus. The most
pure forms of detection are detecting whether or not some code is a virus or not which results in

Owens 4

a yes or no answer. This is a Boolean value since it is either yes or no. Before detecting, there are
ways to follow in preventing viruses. For one, do not click on random pop up ads that look
suspicious. Also, do not download anything that says, In order to view this, download this, Las
thing is, try not to open spam emails. Some common ways that may signify the computer is
infected with a virus or malware is if it slows down, will not shut down, has a lot of pop-up ads,
and displays unintended webpages (Minimizing the Effects of Malware on your Compute, 2).
Detecting a virus is not an easy process. Viruses can be made so that they are undetectable by
some anti-virus software programs. Even if a virus cannot run, it should always be detected still.
It is still useful to detect in case it affects another system. Organizations should strive to detect
malware incidents rapidly because infections can spread throughout an organization in just a
matter of minutes (Mell, Kent and Nusbaum 4-5). One reason why detection is so important is
because you cannot identify it or disinfect it without having detected the virus first. Detection
methods can be described as either static or dynamic which depends on whether the virus code is
running or not when the detection occurs. There are three static detection techniques which are
scanners, heuristics, and integrity checkers. A scanner is usually referred to as a type of anti-virus
software, but it is classified based on when it is invoked. A scanner could either be categorized as
on-demand or on-access. The on-demand scanners run when they are physically started by the
user. Using the on-demand scanner is useful when there is a new virus database installed. Staring
the scanner by the user may also be helpful when there is an infection inspected, or if a
questionable file is downloaded. The on-access scanners are run continuously when accessed.
They continuously scan every file. A virus is distinguished by a pattern, or signature, which is a
sequence of bytes which characterize the virus uniquely. Scanning is a common way of searching
for viruses. Scanning is the process of searching for viruses by looking through a file for

Owens 5

signatures, the code that does the search is the scanner. There are thousands of signatures to look
for so searching for them one at a time is nearly impossible. Two other things that are important
that involve detection are intrusion detection and intrusion prevention. Intrusion detection is the
process of collecting information about events occurring in a computer system or network and
analyzing them for signs of intrusions (Bosworth, Kabay and Whyne 27.1.1). Intrusion
prevention is the process of coupling intrusion detected with specified responses to certain
detected intrusion scenarios (Bosworth, Kabay and Whyne 27.1.2). These are both a necessary
function in most system security strategies.
Identification
Once a virus is detected, what kind of virus is it? After completing the detection process,
it does not necessarily provide whether or not the code is infected. Anti-virus software programs
usually perform a secondary verification after the initial detection has occurred. The main goal is
for incident handlers to be as certain as possible that an incident is caused by malware and to
have a basic understanding of the type of malware threat that is responsible; such as, a worm or
Trojan horse (Mell, Kent and Nusbaum 4-8). Identification is quite often necessary in order to
perform disinfection, and to prevent being led astray. Many virus writers will intentionally make
their virus look like a different virus. If no identification takes place, then an anti-virus software
can easily misidentify the type of virus and do unintentional damage to a system due to it
(Aycock 81). If the source of the incident cannot be easily confirmed, it is usually better to
continue as if it were caused by malware and to alter the response efforts later if it is discovered
that malware is not associated with it. A big part in the identification process is identifying
characteristics of the malware activity by examining the detection sources. It is very helpful to
understand the activitys characteristics when assigning an appropriate priority to the incident

Owens 6

response efforts. Once the incident handlers have reviewed the detection sources data and
identified some characteristics of the malware, it should not be too hard to be able to search for
those characteristics and then identify which kind of malware is most likely the cause (Mell,
Kent and Nusbaum 4-8). Identification and verification can be done in quite a number of ways
once all of the information has been made available from detection. One way is to compare the
found virus to a known copy of the virus. Another way is using virus-specific signatures for
detection methods that are not signature based to start off with. A different way is to check the
sum all or just part of the suspected virus and then compare the known sum of that virus to the
computed sum. The last one is calling special-purpose code to do the identification, which can be
written in a domain-specific or general-purpose programming language (Aycock 81 and 82).
Disinfection
Disinfection does not necessarily mean that the infected virus has been restored to its
original state even if the disinfection was successfully performed. Disinfecting does two things,
it stops the spread of the malware and prevents further damage to systems (Mell, Kent and
Nusbaum 4-10). Disinfection is not possible in all cases and not every malware incident requires
disinfection actions. There are many different ways that disinfection can be performed. It is very
important for an organization to decide what methods of disinfection to use early on in the
response. One way to start with disinfecting is to restore the infected files from backups. Most
everyone keeps backups of their files; therefore, the affected files can then be restored to their
backed-up state. Virus-specific is another way to approach disinfecting. An anti-virus software
can encode in its database the necessary information to disinfect any known viruses. There are
free anti-virus software programs and ones that have a cost. Anti-virus software programs with a
price are more effective, but the free ones are still effective. Many viruses have common

Owens 7

characteristics thus when it comes to disinfecting, it is just a matter of using generic disinfection
routines within the correct areas. Virus-behavior specific is another technique. Disinfection can
be performed based on assumptions about the viral behavior. Anti-virus software can store
information in advance that can be used later on for disinfection. Necessary information that
should be stored is the program header, file length, and a checksum of the executable files
contents. Storing this information would be beneficial and save time in the long run if these are
stored ahead of time.
Conclusion
In conclusion, there are three main steps to follow when building up to destroying viruses
and malware. The three steps are detection, identification, and disinfection. It is very important
to detect whether or not a piece of code is a virus or not. Once a virus or malware is detected, it
needs to be identified. Identification is key in order to know what specific steps to take when it
comes to knowing how to disinfect the virus or malware which is the final step. Viruses and
malware will continue to be a reoccurring issue but there are always precautions and steps to
destroy them if needed.

Owens 8

Works Cited Page


Aycock, John D. Computer Viruses and Malware. New York: Springer, 2006. Internet resource.
Bosworth, Seymour, Michel E. Kabay, and Eric Whyne. Computer Security Handbook. , 2014.
Internet resource.
Mell, Peter, Karen Kent, and Joseph Nusbaum. Guide to Malware Incident Prevention and
Handling. Gaithersburg, MD: U.S. Dept. of Commerce, Technology Administration,
National Institute of Standards and Technology, 2005. Internet resource.
Minimizing the Effects of Malware on Your Computer. Washington, D.C.: Federal Trade
Commission, 2008. Internet resource.