Proactive Defense verdicts : Knowing the detail of the virus penetration and getting rid of them : Concerning Viruses IV
This section covers Proactive Defense verdicts. Note that not all verdicts should necessarily be taken as a threat. Some of these operations are normal behavior for programs being run on the computer or reactions of the operating system to the operation of those programs. However, in some cases the same operations can be called up by hacker activity or malicious programs.
Verdicts with a high danger level are highlighted in red throughout the text. Verdicts that are not always indicative of threats are in black.
Stack overflow is one of the most common techniques today for gaining unauthorized access to a system.
The concept works as follows. A program usually needs a stack structure in the RAM where it can store and retrieve intermediate values. When the program calls up a procedure or subprogram, it sends the return address to the stack, and the procedure then knows where to return control once it is complete. A stack overflow is when a block of data larger than the stack is sent to the stack. The excess data are recorded in the part of the stack designated for correctly returning from the procedure. Thus, the overflow alters the normal process of executing the program, and instead of correctly returning to executing it further, it is transferred to the address that was rewritten in the command because of the stack overflow.
To cause a stack overflow, hackers use exploits, programs containing machine instructions executed by the processor. The address that the processor goes to because of the stack overflow will be specified in these instructions.
The likelihood of a stack overflow when using standard programs in normal mode is extremely low. When a stack overflow is detected, it is very likely that it means that this vulnerability is being taken advantage of for malicious ends.
This technique uses errors in software installed on your computer. The errors used are errors that replace correct data with data provided by a malicious object, which cause these data to be processed incorrectly.
The most common object of attacks using data execution are browsers, many of which do not perform the necessary scans while view web pages, images, and multimedia, and malicious code implanted in objects on web pages can gain control.
Microsoft uses DEP (Data Execution Prevention) to protect executable code in Microsoft Windows. This solution is included in updates for Microsoft Windows XP and Microsoft Windows Server 2003.
Hidden Install is the process of installing a malicious program or running executable files without notifying the user of such. A hidden install process can be detected using standard tools, such as Microsoft Windows Task Manager, but since there are no standard installation windows on screen when the malicious program is installed, it is unlikely that a user would think to track the processes running in the system.
Hidden Object is a process that standard tools (Microsoft Windows Task Manager, Process Explorer, etc.) cannot detect. A rootkit, in other words, a toolkit for gaining root user rights, is a program or set of programs for hidden control of a hacked system. This term came from UNIX.
Within Microsoft Windows, "rootkit" generally refers to a program used to mask software that is installed on the system and intercepts and distorts system messages about the processes running in the system and the folders on drives. In other words, a rootkit works like a proxy server, letting some information through and blocking or distorting other information. In addition, rootkits can generally mask the presence in the system of any processes, folders and files on disk, and registry keys described in its configuration. Many masking programs install their drivers and services in the system, which are naturally invisible to system administration tools like Task Manager or Process Explorer, as well as to anti-virus programs.
This vulnerability consists of rerouting input/output of the command prompt (usually to the network), which generally is used to gain remote access to a computer.
The malicious object attempts to gain access to the command line on the victim computer from which future commands will be executed. Access is usually gained through a remote attack and running a scripted that takes advantage of this vulnerability. The script launches a command line interpreter on the computer connected via TCP. The hacker can then control the system remotely.
Starting Internet Browser
Browsers can be started hidden and data can be sent to it for hackers to exploit later. Monitoring browsers being opened enables you to intercept this.
Browsers are usually opened with settings containing, for example, user passwords, whenever he/she clicks a link in the body of an e-mail in a mail client or an instant messaging program, which is not a suspicious action. If you add a mail client and ICQ to the trusted zone, meaning if you allow only certain programs to open browser windows with settings, all other cases when data is transmitted through a browser from a hacker and not the computer user will may be assessed as suspicious.
This refers to detection not of dangerous or suspicious behaviour of a specific process but of a change in state of the operating system itself, such as direct memory access or modification of an R0-R3 access point.
This group of malicious action detectors includes Trojan.generic, Worm.generic, and Worm.P2P.generic, fairly complex algorithms for detecting dangerous behavior. A verdict is issued that a certain process is most likely an unknown malicious process based on analysis of a set of actions, not on one or two factors. The Generic verdict is not assigned the first time a suspicious action is attempted. Each time a suspicious action is made, the suspicion rating of the process rises. Proactive Defense processes it as soon as it reaches a critical level. This method ensures an extremely low level of false positives. The likelihood of a good program displaying several aspects of malicious activity immediately is extremely low.
Actions that affect the suspicion rating:
- actions typical of infections or malicious objects injecting into the system;
- directly malicious actions;
- actions typical of replicating malicious objects.
This event signifies that the executable file of the monitored application has been modified since it was last run. It should be pointed out that an executable file could have been modified by malicious code injecting itself into the application or by a standard program update, such as the executable file for Microsoft Internet Explorer being modified by Microsoft Windows updates.
An integrity violation is when one or several modules of a monitored application could have been modified since the time the application was last run. It could have been modified by program updates and not only by malicious code injecting itself into the application (for example, the libraries used by Microsoft Internet Explorer could be modified by a Microsoft Windows update).
The Application Integrity Control module has an additional feature for monitoring application start. In this mode, Kaspersky Anti-Virus issues a warning whenever an application specified by the user is started. The warning only appears if the rule Run: Prompt for action is configured for the monitored application. This mode is disabled by default.
Running as child
There are a number of malicious programs that use well known programs to create data leaks or to download malicious code from the Internet. To do so, the malicious program opens a standard program that the firewall rules and other defense tools grant access to the Internet (a web browser, for example). When this happens, the monitored application is run as a child process.
The warning only appears if the rule Run child process: Prompt for action is configured for the monitored application . Since some programs are run by others child processes, the event is common enough that by default warnings are not displayed for these events, although the events are logged in Proactive Defense operation reports.
The hosts file is one of the most important system files of Microsoft Windows. It is designed to redirect access to websites by transforming URL addresses into IP address on the DNS servers, but right on the local computer. The hosts file is a plain text file, with each line defining the correlation between the character name of a server (URL) and its IP address.
Malicious programs often use this file to redefine anti-virus update server addresses to block any chance of updating and preventing the malicious program from being detected, and for other ends as well.
Invader / Loader
There are countless varieties of malicious programs that are masked as executable files, libraries, or plug-ins for well-known programs and load themselves into standard processes. A data leak from the user's computer can be orchestrated in this way. Network traffic initiated by malicious code will pass through the firewall freely, since the firewall thinks that this traffic belongs to an application that is allowed to access the Internet.
Trojans commonly invade other processes. However, a number of benign programs, updates, and installer programs also exhibit this behavior. You should only allow this type of activity if you are certain that the program being load is harmless.
Keyloggers are programs that record every key you press on your keyboard. This type of malware can send information harvested from the keyboard (logins, passwords, and credit card numbers) to a hacker. However, standard programs can also log keys. Keylogging is often used to call up program functions from different applications using hotkeys.
Registry access tracks modifications to registry keys.
Malicious programs modify the registry to register themselves so they start automatically when you start your operating system, to change your homepage in Microsoft Internet Explorer, and other destructive actions. However, remember that standard applications might also access the system registry.
The module contains a predefine list of six groups of critical keys. Users may also add their only groups of keys and configure rules for various programs to access them.
The module enables you to intercept attempts to create hidden keys in the registry that are not displayed by standard programs, such as regedit. Keys are created with incorrect names so that the registry editor cannot display these values correctly, which makes it more difficult to diagnose malicious software in the system.
Trojan Downloader is a program with the chief function of hiding unauthorized downloads of software from the Internet. Hacker sites are the best known source of Trojan Downloaders. A Trojan downloader is not a direct threat on its own. They are dangerous namely because they download and start software uncontrolled. Trojan Downloaders are mostly used for downloading and running viruses, Trojans, and spyware.
The information presented herein is adapted from Help and Support Section of the Kaspersky Anti-Virus 7.0, details of the notes can be pertained from related links as following:
- Kaspersky Lab Web Forum: http://forum.kaspersky.com
- General Information in Viruses: http://www.viruslist.com
- Google search for Proactive Defense verdicts
- Brontok Virus, Public Library and my flash drive
- The easiest way to remove viruses/malwares without installing any antivirus software