Threats to implement on the network of malicious programs. Threats of remote application launch
The threat is to desire to launch various pre-implemented malware on the host: Bookmarking programs, viruses, "Network Spies", the main purpose of which is a violation of confidentiality, integrity, information availability and full control over the work of the host. In addition, it is possible to unauthorized launch of user application programs for unauthorized obtaining the necessary data from the violator, to start the processes managed by the application program, etc.
Three threat data subclass are distinguished:
distribution of files containing unauthorized executable code;
remote application launch by overflowing application buffers;
remote application launch by using the options for remote control system provided by hidden software and hardware bookmarks or used by standard means.
Typical threats of the first of the specified subclasses are based on activating the distributed files in case of accidental access to them. Examples of such files can be: Files containing executable code in the View Documents containing executable code in the form of ActiveX elements, Java applets, interpreted scripts (for example, texts on JavaScript); Files containing executable program codes. Email services, file transfer, network file system can be used to distribute files.
With the threats of the second subclass, shortcomings of programs implementing network services (in particular, no control over buffer overflow) are used. Setting the system registers is sometimes possible to switch the processor after interrupting caused by buffer overflow, to the code execution contained abroad of the buffer. An example of the implementation of such a threat can be the introduction of a widely known "Morris Virus".
In the threats of the third subclass, the offender uses the capabilities of the remote control of the system provided by hidden components (for example, Troyan-type program types. Orifice, Net Bus), or staff management and administration computer networks (Landesk Management Suite, ManageWise, Back Orifice, etc.). As a result of their use, it is possible to achieve remote control over the station on the network.
If the institution processed PDNs are not sent over networks common use and international exchange, installed antivirus protection, then the probability of the implementation of the threat - is unlikely.
In all other cases, the likelihood of a threat should be estimated.
The generalized list of probabilities of the implementation of threats for different types of ducts is presented in Table 12.
Table 12.
|
Type of Cauden |
The likelihood of a threat |
Coeff. probability of a threat of a violator |
|
Autonomous IC ITIPA |
unlikely | |
|
Autonomous IS IITIPa | ||
|
Autonomous IS IIITIP |
unlikely | |
|
Autonomous IS ISTIP | ||
|
Autonomous IC Vtipa |
unlikely | |
|
Autonomous IC ViType | ||
|
Fox utyype |
unlikely | |
|
Fox Iltipa | ||
|
Distributed ITIPA |
unlikely | |
|
Distributed IS ITIPA |
Act Editorial 15.02.2008
"Basic model of threats to the security of personal data when processing in information systems of personal data" (UTV. 15.02.2008 FSTEC RF)
5. Threats of unauthorized access to information in the information system of personal data
The threats of the NSD into dwells with the use of software and software and hardware are implemented in the implementation of unauthorized, including random, access, as a result of which confidentiality violation (copying, unauthorized distribution), integrity (destruction, change) and availability (blocking) of PDNs, and include:
threats of access (penetration) in the operating environment of the computer using standard software (funds operating system or application applied programs);
Threats to create abnormal modes of software (software and hardware) funds due to deliberate changes in service data, ignore the limitations provided for in the staff conditions for the composition and characteristics of the information being processed, distortion (modifications) of the data themselves, etc.;
threats of implementation malicious programs (software and mathematical impact).
The composition of the elements of the description of the threats of the NSD to the information in the dying is shown in Figure 3.
In addition, combined threats are possible, which are a combination of these threats. For example, due to the implementation of malicious programs, conditions may be created for the NSD into the operating environment of the computer, including by forming non-traditional access information channels.
Threats of access (penetration) in the operating environment by the use of standard software are divided into the threats of direct and remote access. Threats of direct access are carried out using software and software and hardware of the computer input / output. Threats of remote access are implemented using network interaction protocols.
These threats are being implemented relative to the database on the basis of the automated workplace, not included in the public communication network and in relation to all the dignity that has a connection to public communication networks and networks of international information exchange.
Description of the threats to access (penetration) into the operating environment of the computer formally can be represented as follows:
the threat of the NSD in dot: \u003d<источник угрозы>, <уязвимость ИСПДн>, <способ реализации угрозы>, <объект воздействия (программа, протокол, данные и др.)>, <деструктивное действие>.
Figure 3. Elements of the description of the threats of the NSD to the information in the CDN
Threats to create emergency mode of operation of software (software and hardware) funds are the threat of "refusal to maintain". As a rule, these threats are considered in relation to the database based on local and distributed information systems, regardless of the information exchange. Their implementation is due to the fact that when developing system or application software, it is not taken into account the possibility of deliberate actions on a targeted change:
data processing conditions (for example, ignore restrictions on the length of the message package);
Data representation formats (with non-compliance of the modified formats installed for processing under network interaction protocols);
Data processing software.
As a result of the implementation of the "refusal of maintenance" threats, buffer overflows and blocking processing procedures, "looping" processing procedures and a "enlightenment" of a computer, discarding message packages, etc. The description of such threats can formally be represented as follows:
the threat of "refusal to maintain": \u003d<источник угрозы>, <уязвимость ИСПДн>, <способ реализации угрозы>, <объект воздействия (носитель ПДн)>, <непосредственный результат реализации угрозы (переполнение буфера, блокирование процедуры обработки, "зацикливание" обработки и т.п.)>.
Threats to the introduction of malicious programs (software and mathematical impact) It is impractical to describe with the same detail as the above threats. This is due to the fact that, first of all, the number of malicious programs today is already significantly higher than one hundred thousand. Secondly, when organizing information protection in practice, as a rule, it is enough just to know the class of malicious program, methods and consequences from its implementation (infection). In this regard, the threat of software and mathematical impact (PMW) can be formally represented as follows:
the threat of the PMW in dot: \u003d<класс вредоносной программы (с указанием среды обитания)>, <источник угрозы (носитель вредоносной программы)>, <способ инфицирования>, <объект воздействия (загрузочный сектор, файл и т.п.)>, <описание возможных деструктивных действий>, <дополнительная информация об угрозе (резидентность, скорость распространения, полиморфичность и др.)>.
Below is the overall characteristics of the sources of information security threats, vulnerabilities that can be used in the implementation of NSD threats, and the characteristic of the results of unauthorized or accidental access. The characteristic of the methods of implementing threats is given when describing the threats to access (penetration) into the operating environment of the computer, threats to refusing maintenance and threats of the PMW.
Sources of threats of the NSD in dodge can be:
violator;
carrier of malware;
hardware tab.
PDN safety threats associated with the implementation of hardware bookmarks are determined in accordance with the regulatory documents Federal Service Security Russian Federation In the manner prescribed.
According to the presence of permanent or one-time access rights to the controlled zone (KZ), the intruders are divided into two types:
violators who do not have access to the dwellings that implement threats from external public communication networks and (or) networks of international information exchange are external intruders;
violators that have access to dodge, including users of dot, implementing threats directly into the internal intruders.
External violators can be:
reconnaissance services of states;
Criminal structures;
competitors (competing organizations);
unfair partners;
external subjects (individuals).
The external intruder has the following features:
exercise unauthorized access to communication channels, leaving outside the service premises;
carry out unauthorized access through automated jobs connected to public communication networks and (or) networks of international information exchange;
carry out unauthorized access to information using special software impacts through software viruses, malware, algorithmic or software bookmarks;
Carry out unauthorized access through the elements of the information infrastructure of the CADN, which in the process of their life cycle (modernization, maintenance, repair, recycling) turn out to be outside the controlled zone;
impact unauthorized access through information systems of interacting departments, organizations and institutions when they are connected to the CD.
The possibilities of the internal impairment are significantly dependent on the regime and technical and technical measures to be operating within the controlled zone, including the admission of individuals to PDNs and control the procedure for conducting work.
Domestic potential violators are divided into eight categories, depending on the access method and permissions to access to PDNs.
The first category includes persons with authorized access to dodge, but not having access to PDNs. This type of violators include officials that ensure normal impudent functioning.
have access to fragments of information containing PDNs and extending through the internal communication channels of the CDM;
Fragments of information about the topology of the CDN (communication part of the subnet) and the communication protocols used and their services used;
Place names and to identify passwords of registered users;
change the configuration of the technical tools CHADNA, make software and hardware bookmarks and provide information using direct connection to technical means Caught.
possesses all the possibilities of persons of the first category;
Knows at least one legal access name;
Has all the necessary attributes (for example, password), providing access to a certain PD subset;
it has confidential data to which access.
Its access, authentication and access rights to a certain subset of PDNs should be governed by the relevant access to the deletion of access.
has all the possibilities of persons of the first and second categories;
Has information about the topology of the database on the basis of a local and (or) distributed information system through which access is carried out, and the composition of the technical means of CDN;
it has the ability to directly (physical) access to the fragments of technical means CDN.
It has full information about the system and application software used in the segment (fragment) of the CDM;
It has full information about the technical means and configuration of the segment (fragment) of the CDN;
has access to the means of protecting information and logging, as well as to individual elements used in the segment (fragment) CDN;
it has access to all technical segments (fragment) of the CETS;
he has the rights of configuration and administrative configuration of a certain subset of the technical means of the segment (fragment) of the CDN.
Has all the possibilities of people of previous categories;
has full information about the system and applied source software;
has full information about technical means and configurations.
has access to all technical means of processing information and data impudent;
he has the rights of configuration and administrative tuning of technical means.
The system administrator performs configuration and management of software (software) and equipment, including equipment responsible for the safety of the protected object: cryptographic protection information, monitoring, registration, archiving, protection against NSD.
has all the possibilities of people of previous categories;
has full information about dodge;
has access to the means of protecting information and logging and to a part of the key elements of the CDN;
It does not have access to the configuration of the technical means of the network, with the exception of the control (inspection).
The Security Administrator is responsible for compliance with the rules for the separation of access, for generating key elements, transfer passwords. The Security Administrator performs an audit of the same object protection means as a system administrator.
has information about algorithms and information processing programs for dodge;
Has the possibilities of making mistakes, non-declared capabilities, software bookmarks, malware in the Software CDN at the stage of its development, introduction and maintenance;
it can have any fragments of information about the topology of the DNT and the technical means of processing and protecting the PDs processed into the CAD.
has the possibilities of making bookmarks to technical means PHDN at the stage of their development, implementation and maintenance;
It can have any fragments of information about the topology of the dignity and the technical means of processing and protecting information in the dwelling.
The carrier of a malicious program can be a computer hardware element or a software container. If the malicious program is not associated with any application program, then as its carrier is considered:
Alienable media, i.e. diskette, optical disk (CD-R, CD-RW), flash memory, alienated Winchester, etc.;
Built-in media (Winchesters, RAM microcircuits, processor, microcircuits system board, microcircuits of devices embedded in system unit- video adapter, network card, sound card, modem, I / O devices magnetic hard and optical disks, power supply, etc., direct access microcircuits, data transmission tires, I / O ports);
circuits of external devices (monitor, keyboard, printer, modem, scanner, etc.).
If the malicious program is associated with any application program, with files that have specific extensions or other attributes, with messages transmitted over the network, then its carriers are:
packets transmitted by computer network messages;
files (text, graphic, executable, etc.).
5.2. The overall characteristics of the vulnerability of the personal data information systemThe vulnerability of the personal data information system is a deficiency or a weak place in the system or application software (software and hardware) providing an automated information system that can be used to implement the security threat to personal data.
The causes of the occurrence of vulnerabilities are:
errors in the design and development of software (software and hardware) security;
intentional actions to make vulnerabilities during the design and development of software (software and hardware) security;
incorrect software settings, unlawful change in devices and program modes;
Unauthorized implementation and use of unrecorded programs with subsequent unreasonable resource spending (loading processor, capture RAM and memory on external media);
the introduction of malware, creating vulnerabilities in software and software and hardware;
unauthorized unintentional actions of users leading to vulnerabilities;
failures in the work of hardware and software (caused by power failures, failure of hardware elements as a result of aging and reduce reliability, external influences of electromagnetic fields technical devices and etc.).
The classification of the main vulnerabilities is shifted in Figure 4.
Figure 4. Classification of software vulnerabilities
Below is the overall characteristics of the main groups of Vulnerabilities of the CDN, including:
systematic software vulnerabilities (including network interaction protocols);
vulnerabilities of applied software (including information security tools).
5.2.1. General characteristics of system software vulnerabilitiesSystem software vulnerabilities must be considered with reference to the architecture of the construction of computing systems.
At the same time, vulnerabilities are possible:
in firmware, in firmware ROM, PPZA;
in the means of the operating system intended to manage local resources of the CDM (providing performance control functions, memory, input / output devices, user interface, etc.), drivers, utilities;
In the means of operating system intended for the implementation of auxiliary functions - utilities (archiving, defragmentation, etc.), system processing programs (compilers, linkers, debugger, etc.), Provision programs for additional services to the user (special interface options, calculators, games, etc.), libraries of various purpose procedures (libraries of mathematical functions, I / O functions, etc.);
in the means of communication interaction (network means) of the operating system.
Vulnerabilities in firmware and in the means of operating system intended for managing local resources and auxiliary functionsmay be:
Functions, procedures, changing parameters of which in a certain way allows them to use them for unauthorized access without detecting such changes to the operating system;
fragments of program code ("holes", "hatches"), introduced by the developer, allowing to bypass identification procedures, authentication, integrity checks, etc.;
Errors in programs (in the declaration of variables, functions and procedures, in program codes), which under certain conditions (for example, when performing logical transitions) lead to failures, including the failures of the functioning of funds and information protection systems.
The network interaction vulnerabilities are associated with the features of their software implementation and are due to restrictions on the size of the buffer used, the disadvantages of the authentication procedure, the lack of checks for the correctness of the service information, etc. The brief description of these vulnerabilities in relation to protocols is shown in Table 2.
table 2
Vulnerabilities of separate TCP / IP protocols stack protocols on the basis of which global shared networks are functioning.
| Name protocol | Stack level protocols | Name (characteristic) vulnerability | Content of information security violations |
| FTP (File Transfer Protocol) - File Transfer Protocol over Network | 1. Open text database authentication (passwords are sent in unencrypted) 2. Default access 3. The presence of two open ports | The ability to intercept data account (registered user names, passwords). Getting Remote Host Access | |
| telnet - Remote Terminal Management Protocol | Applied, representative, session | Open text database authentication (passwords are sent in unencrypted) | The ability to intercept user account data. Getting Remote Host Access |
| UDP - Data Transmission Protocol without connecting | Transport | No buffer overload mechanism | The possibility of implementing the UDP storm. As a result of the exchange of packages, there is a significant reduction in server performance |
| ARP - IP address transformation protocol in physical address | Network | Open text database authentication (information is sent in unencrypted form) | The ability to intercept user traffic by an attacker |
| RIP - Protocol of Routing Information | Transport | No authentication of control messages about changing the route | Ability to redirect traffic through the host of the attacker |
| TCP - Transfer Management Protocol | Transport | No mechanism for checking the correctness of filling service packages | A significant reduction in exchange rate and even a complete gap of arbitrary connections on the TCP protocol |
| DNS - Protocol for establishing the conformity of mnemonic names and network addresses | Applied, representative, session | Lack authentication tools from source data | Falsification of the DNS server response |
| IGMP - Routing Message Protocol | Network | No authentication message on changing route parameters | Win 9X / NT / 200 systems |
| SMTP - Email Message Services Service Protocol | Applied, representative, session | The ability to fake emails, as well as the address sender's addresses | |
| SNMP - Router Route Management Protocol | Applied, representative, session | Lack of support authentication messaging | Ability to overflow network bandwidth |
To systematize a description of a set of vulnerabilities, a single CVE vulnerabilities database (Common Vulnerabilities and Exposures) are used, in the development of which specialists of many well-known companies and organizations, such as Mitre, ISS, Cisco, Bindview, Axent, NFR, L-3, Cybersafe, CERT, CARNEGIE MELLON UNIVERSITY, SANS Institute, etc. This database is constantly updated and used in the formation of databases of numerous security analysis software and, above all, network scanners.
5.2.2. General Characteristics of Applied Software VulnerabilityApplication software includes shared applied programs and special application programs.
Applied public applied programs - Text and graphic editor, media programs (audio and video players, television program reception software, etc.), database management systems, general software platforms for software development software ( type Delphi., Visual Basic), public information protection tools, etc.
Special application programs are programs that are developed in the interests of solving specific applied tasks in this CD (including information protection software developed for a specific CDN).
Vulnerabilities of application software can be:
functions and procedures related to different application programs and incompatible among themselves (not functioning in one operating environment) due to conflicts associated with the distribution of system resources;
Functions, procedures, change in a certain way of which allows you to use them to penetrate the Operational Wednesday and Calling the standard functions of the operating system, performing unauthorized access without detecting such changes to the operating system;
fragments of program code ("holes", "hatches"), entered by the developer, allowing to bypass identification procedures, authentication, integrity checks, etc. provided for in the operating system;
lack of necessary security tools (authentication, checking integrity, verification of message formats, blocking unauthorized modified functions, etc.);
Errors in programs (in the declaration of variables, functions and procedures, in program codes), which under certain conditions (for example, when performing logical transitions) lead to failures, including the failures of the functioning of funds and information protection systems, to unauthorized access to access information.
Data on vulnerabilities developed and distributed on a commercial-based application software are collected, summarized and analyzed in the CVE database<*>.
<*> Conducted by a foreign company CERT on a commercial basis.
5.3. The overall characteristic of the threats of direct access to the operating environment of the personal data information systemThreats of access (penetration) in the operating environment of the computer and unauthorized access to the PDN are associated with access:
to information and commands stored in the Basic I / O system (BIOS) dwell, with the possibility of intercepting the loading of the operating system and receive the rights of the trusted user;
in the operating environment, that is, on the functioning of the local operating system of a separate technical means, the extent is the possibility of performing unauthorized access by calling the staffing of the operating system or the launch of specially developed programs that implement such actions;
on the functioning of the application programs (for example, to the local database management system);
directly to user information (to files, textual, audio and graphic information, fields and entries in electronic databases) and are due to the possibility of violating its confidentiality, integrity and accessibility.
These threats can be implemented in the case of obtaining physical access to the dwell or, at least, to the means of entering the information in the CD. They can be combined under the terms of implementation into three groups.
The first group includes threats implemented during operating system boot. These information security threats are aimed at intercepting passwords or identifiers, software modifications base system I / O (BIOS), interception of download management with a change in the necessary technological information to obtain a NSD into an operating environment. Most often, such threats are implemented using alienated media.
The second group - the threats implemented after loading the operating environment regardless of which application program is started. These threats are usually aimed at performing directly unauthorized access to information. Upon receipt of access to the operating environment, the violator can use both standard operating system functions or any public application program (for example, database management systems) and specially created to perform unauthorized access with programs, for example:
program viewing and modification of the registry;
Text search programs in text files by keywords and copying;
special viewing programs and copy entries in databases;
programs quick view graphic files, edit or copying them;
programs to support the capabilities of the reconfiguration of the software environment (settings kept in the interests of the intruder), etc.
Finally, the third group includes threats, the implementation of which is determined by which of the application programs is started by the user, or the fact of the launch of any of the application programs. Most of these threats are the threats to the introduction of malicious programs.
5.4. The overall characteristics of the threats to the security of personal data implemented using the internet interaction protocolsIf the database is implemented on the basis of a local or distributed information system, it can be implemented in the safety threats to the use of interconnection protocols. It may be provided by the NSD to the PDNs or the threat of refusal to maintain. Especially dangerous threats when dying is distributed information systemconnected to general use networks and (or) networks of international information exchange. The classification scheme of threats implemented over the network is shown in Figure 5. It is based on seven the following primary signs of classification.
1. The nature of the threat. On this basis, the threat can be passive and active. Passive threat is a threat, with the implementation of which it does not have a direct impact on the operation of the CDN, but the established rules of separation of access to PDNs or network resources can be violated. An example of such threats is the threat of "network traffic analysis", aimed at listening to communication channels and intercept the transmitted information.
Active threat is a threat associated with the impact on the resources of the CDN, with the implementation of which it turns out to be a direct impact on the operation of the system (change in the configuration, impairment of performance, etc.), and with a violation of the established rules for distinguishing access to PDNs or network resources. An example of such threats is the threat of "refusal of maintenance", implemented as a "TCP query storm".
2. The purpose of the realization of the threat. On this basis, the threat can be aimed at violating the confidentiality, integrity and availability of information (including the violation of the performance of the CAD or its elements).
3. The condition began implementing the process of realizing the threat. On this basis, the threat can be implemented:
on request from an object relative to which the threat is implemented. In this case, the violator expects the transmission of a certain type of request, which will be the condition for the start of unauthorized access;
Figure 5. Classification scheme of threats using inter-track interaction protocols
At the occurrence of the expected event at the facility, relative to which the threat is implemented. In this case, the violator performs permanent monitoring of the state of the operating system CADOV and when a certain event occurs in this system, unauthorized access is beginning;
unconditional impact. In this case, the beginning of the implementation of unauthorized access is unconditionally relative to the goal of access, that is, the threat is implemented immediately and irrelevant to the system status.
4. Availability feedback With keen. On this basis, the process of implementing the threat can be with feedback and without feedback. The threat carried out in the presence of feedback from the CTF is characterized by the fact that some requests transferred to the dwell to the violator are required to receive an answer. Consequently, there is a feedback between the violator and dodge, which allows the violator to adequately respond to all changes occurring in the CDN. In contrast to the threats implemented in the presence of feedback from the CD, in the implementation of threats without feedback, it is not necessary to respond to any changes occurring in the PM.
5. The location of the intruder is relatively dyed. In accordance with this sign, the threat is implemented both in-gem and integnetivity. Network segment is a physical association of hosts (technical means of dodge or communication elements having a network address). For example, the segment of the dot forms a set of hosts connected to the server according to the "Total Bus" scheme. In the case when an intra-fertile threat takes place, the violator has physical access to the hardware elements of the CAD. If an intersectional threat takes place, the intruder is located outside the dwell, implementing a threat from another network or from another segment of CAD.
6. The level of the reference model of interaction open Systems <*> (ISO / OSI), on which the threat is implemented. On this basis, the threat can be implemented on the physical, channel, network, transport, session, representative and application level of the ISO / OSI model.
<*> The International Standardization Organization (ISO) adopted the ISO 7498 standard describing the interaction of open systems (OSI).
7. The ratio of the number of violators and the elements of the dignity relative to which the threat is implemented. On this basis, the threat can be attributed to the class of threats implemented by one violator with respect to one technical means of CADing (the threat of "one to one"), immediately relative to several technical means of the CAD (the threat of "one to many") or several violators with different computers Regarding one or more technical means, the keenns (distributed or combined threats).
Taking into account the classification, the seven most often implemented at present threats can be distinguished.
1. Analysis of network traffic (Figure 6).
Figure 6. Scheme of the threat "Network traffic analysis"
This threat is implemented using a special package analyzer program (Sniffer), intercepting all packets transmitted via the network segment, and those in which the user's identifier and its password are transmitted. During the implementation of the threat, the violator studies the logic of the network operation - that is, it seeks to obtain an unambiguous compliance of events occurring in the system, and commands sent with hosts at the time of these events. In the future, this allows an attacker based on the task of the relevant commands to obtain, for example, privileged rights to actions in the system or expand its powers in it, intercept the stream of transmitted data that communicate the components of the network operating system, to extract confidential or identification information (for example, static passwords Users to access remote hosts using FTP and Telnet protocols that do not provide for encryption), its substitution, modifications, etc.
2. Scanning network.
The essence of the process of implementing the threat is to transfer requests to network services of the hosts keys and analyzing the answers from them. The goal is to identify the used protocols available to the network services ports, the laws for the formation of connection identifiers, the definition of active network services, selection of identifiers and user passwords.
3. Threat to the detection of the password.
The purpose of the implementation of the threat is to obtain a NSD by overcoming password protection. The attacker can have a threat with a number of methods, such as a simple bust, brute force using special dictionaries, installing a malicious program to intercept the password, the substitution of a trusted network object (IP Spoofing) and packet interception (Sniffing). Mainly for the implementation of the threats are used by special programs that are trying to access the host by a consistent selection of passwords. If successful, the attacker can create a "pass" for itself for future access, which will act, even if you have to change the access password on the host.
4. Substitution of a trusted network object and transmitting messages over the communication channels from its behalf with the assignment of its access rights (Figure 7).
Figure 7. Scheme of the threat of "substitution of a trusted network object"
Such a threat is effectively implemented in systems where unstable algorithms for identifying and authenticating hosts, users, etc. apply. Under the trusted object is understood as the network object (computer, firewall, router, etc.), legally connected to the server.
Two varieties of the process of implementing the specified threat can be isolated: with the establishment and without the establishment of a virtual connection.
The implementation process with the establishment of a virtual compound is to assign the rights of a trusted entity of interaction, which allows the violator to conduct a session with the object of the network on behalf of the trusted entity. Implementation of the threat of this type requires overcoming the identification and authentication system (for example, an UNIX-host RSH-host attack).
The process of implementing the threat without establishing a virtual connection may occur in networks that identify the transmitted messages only through the sender's network address. The entity is the transfer of service messages on behalf of network control devices (for example, on behalf of routers) on changing route data. It should be borne in mind that the only subscriber identifiers and connections (via TCP) are two 32-bit parameters initial Sequence Number - ISS (sequence number) and ACKNOWLEDGMENT NUMBER - ACK (confirmation number). Consequently, to form a false TCP package to the violate you need to know the current identifiers for this connection - ISSA and ISSB, where:
ISSA - some numerical value characterizing the sequence number of the TCP packet sent number installed by the TCP connection initiated by the host A;
ISSB - some numerical value characterizing the sequence number of the TCP packet sent number installed by the TCP connection initiated by the host B.
ACK value (TCP connection confirmation confirmation numbers) is defined as the value of the number received from the respondent ISS (sequence number) plus ACKB \u003d ISSA + 1 unit.
As a result of the implementation of the threat, the violator receives the access rights established by its user for a trusted subscriber to the technical means of the density of threats.
5. imposing a false network route.
This threat is implemented by one of two ways: by intra-fertile or intersegment imposition. The ability to impose a false route is due to the disadvantages inherent in routing algorithms (in particular, due to the problem of identifying network control devices), as a result of which it is possible to get, for example, to the host or in the network of an attacker, where you can enter the operating environment of the technical means in the CDN operating environment . Implementation of the threat is based on unauthorized use of routing protocols (RIP, OSPF, LSP) and network management (ICMP, SNMP) to make changes to route tables. At the same time, the violator must be sent on behalf of the network control device (for example, a router) control message (figures 8 and 9).
Figure 8. Scheme implementation of the attack "Binding of the false route" (intra-segment) using the ICMP protocol in order to violate communication
Figure 9. Scheme of the implementation of the threat "imposing a false route" (integmentation) in order to intercept traffic
6. Implementation of a false network object.
This threat is based on the use of deficiencies of remote search algorithms. If the network objects initially do not have address information on each other, various remote search protocols are used (for example, SAP in Novell NetWare networks; ARP, DNS, WINS in networks with TCP / IP protocol stack), which are transmitted via a special network requests and receiving answers to them with the search for information. In this case, it is possible to intercept the violator of the search query and issuing a false answer to it, the use of which will lead to the desired change in route-address data. In the future, the entire flow of information associated with the object-victim will pass through the false network object (Figures 10 - 13).
Figure 10. Scheme of the implementation of the threat "Implementation of a false ARP server"
Figure 11. Implementation scheme "Implementation of a false DNS server" by intercepting a DNS request
Figure 12. Implementation scheme "Implementation of a false DNS server" by the DNS response storm on a network
Figure 13. Scheme implementation of the threat "Implementation of a false DNS server" by the DNS response storm to the DNS server
7. Refusal to maintain.
These threats are based on shortcomings of network software, its vulnerabilities that allow the violator to create conditions when the operating system is not able to process incoming packages.
Several varieties of such threats can be isolated:
a) The hidden refusal to maintain, caused by the involvement of part of the resources of the Packet processing transmitted by the attacker with a decrease in the bandwidth of communication channels, network devices, violating the requirements for requesting requests. Examples of the implementation of threats of this kind can be: directed by the Echo requests by ICMP (Ping flooding), a storm for setting TCP connections (SYN-Flooding), a storm query to the FTP server;
b) an explicit refusal to maintain, caused by the exhaustion of resources bypassed when processing the packages transmitted by the attacker (occupying the entire bandwidth bandwidth, service query queues), in which legal requests cannot be transferred through the network due to the unavailability of the transmission medium or get Failure to maintain due to request query queues, memory disk space, etc. Examples of threats of this type can serve as a storm of broadcast ICMP-Echo requests (SMURF), directed by a storm (SYN-Flooding), a storm of messages to the mail server (SPAM);
c) an explicit refusal to maintain, caused by a violation of logical connectedness between the technical means of the CTADV, when transferring the violator of control messages on behalf of network devices, resulting in changing route-address data (for example, ICMP Redirect Host, DNS-Flooding) or identification and authentication information;
D) an explicit refusal of maintenance caused by the transmission by the attacker of packets with non-standard attributes (threats of the "Land" type, "teardrop", "bonk", "nuke", "udp-bomb") or having a length exceeding the maximum permissible size (type threat "Ping Death"), which can lead to a collection of network devices involved in query processing, subject to errors in programs that implement the network exchange protocols.
The result of the implementation of this threat can be a violation of the relevant service for the provision of remote access to PDNs to PD, transmission from one address of such a number of requests to the technical means in the composition of the CDN, which maximum can "accommodate" traffic (directed "query storm") that It entails the overflow of the query queue and the failure of one of the network services or a complete stopping of the computer due to the inability of the system to engage in any other, except for query processing.
8. Remote application launch.
The threat lies in the desire to launch various pre-implemented malware on the host: Bookmarking programs, viruses, "Network Spies", the main purpose of which is a violation of confidentiality, integrity, information availability and full control over the work of the host. In addition, it is possible to unauthorized launch of user application programs for unauthorized obtaining the necessary data from the violator, to start the processes managed by the application program, etc.
Three threat data subclass are distinguished:
1) distribution of files containing unauthorized executable code;
2) remote launch of the application by overflowing application-server buffer;
3) Remote application launch by using the remote control of the system provided by hidden software and hardware bookmarks or used by standard means.
Typical threats of the first of the specified subclasses are based on activating the distributed files in case of accidental access to them. Examples of such files can serve: files containing executable code in the form of macrosample (Microsoft Word, Excel documents, etc.); HTML documents containing executable code as ActiveX elements, Java applets interpreted by scripts (for example, JavaScript texts); Files containing executable program codes. Email services, file transfer, network file system can be used to distribute files.
In the threats of the second subclass, disadvantages of programs implementing network services (in particular, no control overflow control) are used. Setting the system registers is sometimes possible to switch the processor after interrupting caused by buffer overflow, to the code execution contained abroad of the buffer. An example of the implementation of such a threat can be the introduction of a widely known "Morris Virus".
In the threats of the third subclass, the offender uses the ability to remotely manage the system provided by hidden components (for example, "Troyan" programs of type BACK ORIFICE, NET Bus) or regular controls and administration of computer networks (Landesk Management Suite, ManageWise, Back Orifice, etc. ). As a result of their use, it is possible to achieve remote control over the station on the network.
Schematically, the main stages of the work of these programs look like this:
installation in memory;
waiting for a remote host query on which the client program is running, and the exchange of readiness messages with it;
Transferring intercepted information to the client or providing him with control over the attacked computer.
Possible consequences from the implementation of threats of various classes are shown in Table 3.
Table 3.
Possible consequences of the implementation of threats of various classes
| N p / n | Type of Attack | Possible consequences | |
| 1 | Network traffic analysis | Investigation of network traffic features, interception of transmitted data, including user identifiers and passwords | |
| 2 | Scanning Network | Definition of protocols available for network services ports, the laws of forming identifiers of connections, active network services, identifiers and user passwords | |
| 3 | "Password" attack | Performing any destructive action associated with obtaining unauthorized access | |
| 4 | Substitution of a trusted network object | Changing the passage of messages, unauthorized change in route data. Unauthorized access to network resources, imposing false information | |
| 5 | Imposing a false route | Unauthorized change in route data, analysis and modification of transmitted data, imposing false messages | |
| 6 | Implementing a false network object | Interception and view traffic. Unauthorized access to network resources, imposing false information | |
| 7 | Failure to service | Partial exhaustion of resources | Reducing the bandwidth of communication channels, networking devices. Reduced server application performance |
| Full exhaustion of resources | The inability to transmit messages due to lack of access to the transmission medium, refusal to establish a connection. Refusal to provide service (email, file, etc.) | ||
| Violation of logical connectedness between attributes, data, objects | The inability of transmission, messages due to the lack of correct route data. The impossibility of obtaining services due to unauthorized modification of identifiers, passwords, etc. | ||
| Use of errors in programs | Violation of network devices | ||
| 8 | Remote launch of applications | By sending files containing destructive executable code, viral infection | Violation of confidentiality, integrity, information availability |
| By overflowing the server application buffer | |||
| By using the remote control capabilities of the system provided by hidden software and hardware bookmarks or used by standard | Hidden management system | ||
The process of implementing the threat in the general case consists of four stages:
information collection;
invasion (penetration into the operating environment);
exercising unauthorized access;
eliminating traces of unauthorized access.
At the stage of collecting information, the violators may be interested in diverse information about the density, including:
a) on the network topology, in which the system is functioning. This may explore the area around the network (for example, the intruder may be interested in the addresses of trusted, but less protected hosts). To determine the accessibility of the host, the simplest commands can be used (for example, the Ping command to send ECHO_Request ICMP queries with the expectations of ECHO_REPLY ICMP responses. There are utilities that carry out the parallel definition of the availability of hosts (such as FPING), which are able to scan the large area of \u200b\u200bthe address space for the availability of hosts in a short period of time. The network topology is often defined on the basis of the "knot meter" (distance between hosts). In this case, methods such as "modulation TTL" and route recording can be applied.
The TTL modulation method is implemented by Traceroute (for Windows NT - TRACERT.exe) and is to modulate the IP packet TTL field. ICMP packets created by the Ping command can be used to record the route.
Information collection can also be based on queries:
to the DNS server about the list of registered (and, probably active) hosts;
to the RIP protocol router on known routes (information on network topology);
Unfiguredly configured devices supporting SNMP (network topology information).
If the keenns are behind the firewall (ME), it is possible to collect information on the configuration of the ME and about the topology of the CDS for ME, including by sending packets to all ports of all alleged hosts of the internal (protected) network;
b) on the type of operating system (OS) in the dwell. The most famous method of determining the type of host OS is based on the fact that different types OS in different ways implement RFC standards requirements to TCP / IP stack. This allows the violator to remotely identify the type of OS installed on the host by dashed by sending specially formed requests and analyzing the responses received.
There are special means that implement these methods, in particular, NMAP and QUESO. You can also note this method for determining the OS type, as the simplest query for establishing a connection via the Telnet remote access protocol (Telnet connections), as a result of which the type of host can be determined by the "appearance" of the answer. The presence of certain services can also serve as an additional feature to determine the type of host OS;
C) about services operating on hosts. The definition of the services executed on the host is based on the method of identifying "open ports" aimed at collecting information about the accessibility of the host. For example, to determine the availability of the UDP port, you must receive a response in response to the premise of the UDP package to the corresponding port:
if the ICMP Port UnreacheBle is received in response, the corresponding service is not available;
if this message has not arrived, the port "Opened".
Extremely diverse variations of the use of this method are possible depending on the protocol used in the TCP / IP protocol stack.
Many software has been developed for automating the collection of information about the density. As an example, the following of them can be noted:
1) Strobe, Portscanner - Optimized Definition Means available services based on a TCP port survey;
2) NMAP - scan tool for available services intended for Linux, FreeBSD, Open BSD, Solaris, Windows NT. Is the most popular current tool to scan network services;
3) QUESO is a high-precision tool for determining the network host OS based on the parcel of the circuit of correct and incorrect TCP packets, the response analysis and comparison of it with a multitude of known responses of various OS. This means is also popular to date the scan to date;
4) Cheops - network topology scanner allows you to get a network topology, including a domain picture, IP addresses, etc. At the same time, the host OS is determined, as well as possible network devices (printers, routers, etc.);
5) Firewalk is a scanner using Traceroute program methods in the interests of response analysis to IP packets to determine the configuration of the firewall and construct the network topology.
At the invasion stage, the presence of typical vulnerabilities in system services or errors in the administration of the system is investigated. A successful result of the use of vulnerabilities is usually obtained by the process of a privileged execution mode (access to the privileged command processor execution mode), entering the account of the accounting record of an illegal user, receiving password file or disruption of the operation of the attacked host.
This stage of the development of the threat is usually multiphase. The phases of the process of implementing the threat may include, for example:
the establishment of a connection with the host, relative to which the threat is realized;
Identification of vulnerability;
the introduction of a malicious program in the interests of expanding rights and others.
Threats implemented at the end stage are divided into the TCP / IP protocol stack levels, since they are formed on a network, transport or applied level depending on the used invasion mechanism.
Type threats implemented on network and transport levels include such as:
a) the threat aimed at the substitution of a trusted object;
b) the threat aimed at creating a false route in the network;
C) threats aimed at creating a false object using deficiencies of remote search algorithms;
D) threats of the "refusal of maintenance", based on IP defragmentation, on the formation of incorrect ICMP requests (for example, the attack "Ping of Death" and "Smurf"), on the formation of incorrect TCP requests (Land attack), On the creation of a "storm" packages with the connection requests (SYN Flood attacks), etc.
Typical threats implemented at the application level include threats aimed at unauthorized launch of applications, threats, the implementation of which is associated with the implementation of software bookmarks (such as Trojan horse "), with the identification of passwords of access to the network or to a specific host, etc.
If the realization of the threat did not bring the violator of the highest access rights in the system, attempts to expand these rights to the highest possible level are possible. For this, vulnerabilities of not only network services can be used, but also the vulnerability of system software hosts.
At the stage of implementing unauthorized access, the achievement of the purpose of implementing a threat is carried out:
confidentiality breach (copying, unlawful distribution);
Violation of integrity (destruction, change);
violation of availability (blocking).
At the same stage, after these actions, as a rule, the so-called "black input" is formed in the form of one of the services (demons) serving some port and executing the intruder commands. "Black Login" is left in the system in the interests of collateral:
opportunities to access the host, even if the administrator eliminates the vulnerability used to successfully implement the threat;
opportunities to access the host as low as possible;
Opportunities to access the host quickly (without repeating the process of realization of the threat).
The "black input" allows the violator to implement a malicious program to a network or a certain host, for example, a "password analyzer" (Password Sniffer) is a program that allocates user identifiers and passwords from network traffic when working high-level protocols (FTP, Telnet, RLOGIN and T .d.). Objects of malware implementation can be authentication and identification programs, network services, operating system core, file system, libraries, etc.
Finally, at the stage of elimination of traces of the threat, an attempt is made to destroy traces of the actions of the violator. At the same time, appropriate entries are deleted from all possible audit logs, including records about the fact of information collection.
5.5. General characteristics of threats of software and mathematical impactsSoftware-mathematical impact is an impact with the help of malicious programs. The program with potentially dangerous consequences or malicious program is called some independent program (set of instructions), which is capable of performing any non-empty subset following functions:
Hide signs of their presence in software computer;
Have the ability to self-affillation, association of oneself with other programs and (or) transferring its fragments to other areas of operational or external memory;
destroy (distort an arbitrary way) program code in RAM;
execute without initiating from the user (user program in the regular mode of its execution) destructive functions (copying, destruction, blocking, etc.);
Save fragments of information from RAM in some areas of external direct access (local or remote);
To distort an arbitrary manner, block and (or) to replace the external memory or to the communication channel, an array of information formed as a result of the application of the application programs, or already in external memory of data arrays.
Malicious programs can be made (implemented) both deliberately and randomly in the software used in the DESIGN, in the process of its development, accompaniment, modifications and settings. In addition, malware can be made during the operation of the CDN from external media or by network interaction both as a result of NSDs and by random users of CAD.
Modern malicious programs are based on the use of vulnerabilities of various kinds of software (systemic, general, applied) and various network technologies, possess wide spectrum Destructive capabilities (from unauthorized study of the parameters of the PDN without interference in the functioning of the PDN, prior to the destruction of PDNs and the CDN software) and can act in all types of software (system, applied, in hardware drivers, etc.).
The presence of malicious programs may contribute to the occurrence of hidden, including non-traditional access channels to information that allow you to open, bypass or block the protective mechanisms provided for in the system, including password and cryptographic protection.
The main types of malicious programs are:
software bookmarks;
classic software (computer) viruses;
malicious programs propagating over the network (network worms);
Other malicious programs intended for the implementation of the NSD.
Software bookmarks include programs, code fragments, instructions that form non-declared software capabilities. Malicious programs can move from one species to another, for example, a software laying can generate a software virus, which, in turn, hitting the network conditions, can form a network worm or other malicious program designed to implement a NSD.
The classification of software viruses and network worms are presented in Figure 14. A brief description of the main malicious programs is reduced to the following. Boot viruses write themselves either in the boot sector of the disk (boot sector) or in the sector containing system boot Winchester (Master Boot Record), or change the pointer to the active boot sector. They are introduced into the computer's memory when loading from an infected disk. In this case, the system loader reads the contents of the first sector of the disk from which the download is made, puts reading information into memory and transfers to it (i.e., the virus) control. After that, the virus instructions are started, which, as a rule, reduces the amount of free memory, copies its code to the vacated place and reads its continuation from the disk (if there is), intercepts the necessary interrupt vector (usually int 13h), reads the original memory Boot sector and transmits control to it.
In the future, the bootable virus behaves in the same way as the file: intercepts the access of the operating system to the disks and infects them, depending on some conditions performs destructive actions, causes sound effects or video effects.
The main destructive actions performed by these viruses are:
the destruction of information in the sectors of the floppy and hard drive;
Elimination of the capabilities of the operating system (the computer "hangs");
distortion of the loader code;
formatting diskette or logical disks of the hard drive;
closing access to COM and LPT ports;
replacing symbols when printing texts;
twitching screen;
changing the label of the disk or floppy disk;
creating pseudo-free clusters;
creating sound and (or) visual effects (for example, drop in letters on the screen);
damage data files;
displaying a variety of messages;
Disconnection peripheral devices (for example, keyboard);
changing the screen palette;
Filling the screen with outsiders or images;
screen repayment and translation input mode from the keyboard;
encryption of the Winchester sectors;
selective destruction of characters displayed on the screen when set from the keyboard;
reduction of RAM;
calling the screen printing;
blocking records on the disk;
dISK PARTITION TABLE TABLE, After that, the computer can only be downloaded from a floppy disk;
blocking the start of executable files;
Blocking access to the Winchester.
Figure 14. Classification of software viruses and network worms
Most bootable viruses overwrite themselves on floppy disks.
The "overwriting" infection method is the most simple: the virus records its code instead of the code of the infected file, destroying its contents. Naturally, while the file stops working and is not restored. Such viruses very quickly detect themselves, as the operating system and applications are pretty quickly stopped working.
The category "Companion" includes viruses that do not change infected files. The algorithm of the work of these viruses is that a double file is created for the contaminated file, and when the infected file is started, the control receives this twin, that is, the virus. The most common companyon viruses using the DOS feature to first execute files with the extension.com, if there are two files with the same name in one directory, but by various names of the name - .com i.exe. Such viruses create satellite files for EXE files, which have the same name, but with extension.com, for example, the XCOPY.COM file is created for the xcopy.exe file. The virus is recorded in the COM file and does not change the EXE file. When you start such a DOS file, the first will detect and execute the COM file, that is, the virus that will then start and the EXE file. The second group makes viruses that, when infected, rename the file into any other name, remember it (for the subsequent launch of the host file) and write its code to the disk under the name of the infected file. For example, the xcopy.exe file is renamed to xcopy.exd, and the virus is written under the name xcopy.exe. When starting, the control receives the virus code, which then starts the original XCOPY stored under the name xcopy.exd. Interesting the fact that this method It seems to be in all operating systems. The third group includes the so-called "Path-Companion" viruses. They either write down their code under the name of the infected file, but "above" one level in the prescribed paths (DOS, so the first will be first detected and launches the virus file), or tolerate the sacrifice file to one subdirectory above, etc.
It is possible to exist and other types of companion viruses using other original ideas or features of other operating systems.
File worms (Worms) are, in a sense, a type of companyon viruses, but in no way they do not associate their presence with any file being executed. In reproduction, they only copy their code into any disk catalogs in the hope that these new copies will ever run by the user. Sometimes these viruses give their copies of "special" names to push the user to start their copy - for example, install.exe or winstart.bat. There are Wormi viruses that use fairly unusual techniques, for example, recording their copies in the archives (ARJ, ZIP and others). Some viruses record the launch of an infected file in BAT files. Do not confuse CHERVI file viruses with network worms. The first only use the file functions of any operating system, the second in their reproduction uses network protocols.
Link viruses, like companion viruses, do not change the physical contents of the files, however, when the infected file is started, the "cause" OS execute your code. These goals they reach the modification of the necessary file system fields.
Viruses, infecting libraries of compilers, object modules and source texts of programs are quite exotic and practically not common. Viruses, infecting OBJ- and LIB files, write their code in them in the format of the object module or library. The infected file is thus not performed and is not capable of further spreading the virus in its current state. The carrier of the "live" virus becomes a com- or an exe file.
Having received the control, the file virus performs the following general actions:
Checking rAM For the presence of your copy and infects the computer's memory if a copy of the virus is found (if the virus is a resident), searches for unreleased files in the current and (or) root directory by scanning a logical disk directories, and then infects detected files;
performs additional (if any) functions: destructive actions, graphic or sound effects, etc. ( additional functions Resident virus can be called after a while after activation, depending on the current time, the system configuration, internal virus counters or other conditions, in this case the virus when activating processes the status of the system hours, sets its counters, etc.);
It should be noted that the faster the virus is distributed, most likely the emergence epidemics of this virus, the slower the virus is spread, the more difficult it is to detect it (if, of course, this virus is unknown). Non-resident viruses are often "slow" - most of them when starting it infects one or two-three files and does not have time to float the computer before running the antivirus program (or the appearance of a new version of the antivirus configured to this virus). There are, of course, non-resident "fast" viruses that are looking for and infecting all executable files, however, such viruses are very noticeable: when you start every infected file, the computer has some (sometimes long enough) time is actively working with the hard drive, which demasses the virus. The speed of distribution (infection) at resident viruses is usually higher than non-resident - they infect files with any appeals to them. As a result, all the files that are constantly used in operation are infected on the disk. The speed of distribution (infection) of resident file viruses infecting files only when they started to execute, will be lower than that of viruses infecting files and when they open, renamed, changing the file attributes, etc.
Thus, the main destructive actions performed by the file viruses are associated with the defeat of the files (more often executable or data files), unauthorized launch of various commands (including formatting, destruction, copying commands, etc.), changing the table of interrupt vectors and Dr. At the same time, many destructive actions similar to those indicated for boot viruses can be performed.
Macroviruses (Macro Viruses) are languages \u200b\u200b(macro-language) built into some data processing systems ( text editors, spreadsheets, etc.). For its reproduction, such viruses use the capabilities of macro-languages \u200b\u200band with their help transfer themselves from one infected file (document or table) to others. Macroviruses received the greatest distribution for the application package Microsoft Office..
For the existence of viruses in a specific system (editor), it is necessary to build a built-in macro-language with capabilities:
1) program bindings on macro-language to a specific file;
2) copy macroprograms from one file to another;
3) obtaining the management of the macro program without user intervention (automatic or standard macros).
These conditions satisfy applied microsoft programs Word, Excel and Microsoft Access. They contain macromasics: Word Basic, Visual Basic for Applications. Wherein:
1) Macrograms are tied to a specific file or are inside the file;
2) macro-language allows you to copy files or move macroprograms to system service files and editable files;
3) When working with a file under certain conditions (opening, closing, etc.), macro frames are called (if any), which are defined in a special way or have standard names.
This feature Macroeads are designed to automatically process data in large organizations or global networks and allows you to organize the so-called "automated document management". On the other hand, macro-language capabilities of such systems allow the virus to transfer their code to other files and thus infect them.
Most macroviruses are active not only at the time of opening (closing) of the file, but as long as the editor itself is active. They contain all their functions in the form of standard Word / Excel / Office macros. There are, however, viruses that use receptions of hiding their code and storing their code in the form of not macros. There are three such receptions, they all use the ability to create, edit and execute other macros. As a rule, similar viruses have a small (sometimes polymorphic) macro of the virus, which causes the built-in macro editor, creates a new macro, fills it with the basic code of the virus, performs and then, as a rule, destroys (to hide the traces of the virus presence). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or stored in the area of \u200b\u200bthe variables of the document.
Network includes viruses that are actively using protocols and possibilities of local and global networks for their distribution. The main principle of the network virus is the ability to independently transfer your code to a remote server or workstation. "Full-fledged" network viruses have the opportunity to start their code on remote computer Or at least "push the user to launch an infected file.
Malicious programs that ensure the implementation of the NSD may be:
selection and opening programs;
threats implementing programs;
Programs demonstrating the use of non-declared software and hardware and hardware capabilities
computer virus generator programs;
programs demonstrating vulnerabilities of information security tools and others.
Due to the complication and increasing diversity of software, the number of malicious programs is rapidly increasing. Today more than 120 thousand signatures of computer viruses are known. At the same time, not all of them represent a real threat. In many cases, the elimination of vulnerabilities in system or application software led to the fact that a number of malicious programs are no longer able to implement in them. Often the main danger represent new malicious programs.
5.6. General characteristics of non-traditional information channelsThe non-traditional information channel is a securing channel of information using traditional communication channels and special transformations of transmitted information that are not related to cryptographic.
Methods can be used to form unconventional channels:
computer Steganography;
Based on manipulation various characteristics Caiden, which can be obtained sanctioned (for example, processing time of various queries, volumes answered memory or accessible to read identifiers of files or processes, etc.).
Computer Steganography Methods are designed to hide the fact of transferring the message by embedding the hidden information in externally innocuous data (text, graphic, audio or video files) and include two groups of methods based:
On using special properties of computer formats for storage and data transfer;
On the redundancy of audio, visual or text information From the position of the psycho-physiological characteristics of human perception.
The classification of computer seganography methods is shown in Figure 15. They comparative characteristics shown in Table 4.
The greatest development and application currently find methods of concealing information in graphic stegroontainers. This is due to a relatively large amount of information that can be accommodated in such containers without noticeable image distortion, the presence of a priori information about the size of the container, the existence in most real images of textural areas having a noise structure and well-appropriate to embed information, the developing methods of digital image processing and digital methods Image presentation formats. Currently, there are a number of both commercial and free software products available to the usual user who implement the well-known seganographic methods of concealing information. At the same time, graphic and audio confineers are predominantly used.
Figure 15. Classification of methods of steganographic information transformation (SP)
Table 4.
Comparative characteristics of seganographic information conversion methods
| Steganographic method | Brief characteristic method | disadvantages | Benefits |
| Methods of concealing information in audio confineers | |||
| Based on the recording of the message to the smallest significant bits of the source signal. As a container used, as a rule, an uncompressed audio signal | Low secrecy message transfer. Low distortion resistance. Used only for certain audio file formats. | ||
| The method of concealment based on the distribution of the spectrum | Based on the generation of pseudo-random noise, which is the function of the introduced message, and mix the resulting noise to the main signaling container as an additive component. Coding information streams by scattering coded data spectrum data | ||
| Calfaction method based on the use of an echo signal | Based on the use of the audio signal itself, detained for different periods of time depending on the message being implemented ("Downtown Ech") | Low container use coefficient. Significant computational costs | Reparatively high stealth messages |
| Calfaction method in the signal phase | Based on the fact of the insensitivity of the human ear to the absolute value of the harmonic phase. The audio signal is divided into sequence sequence, the message is embedded by modifying the phase of the first segment | Small container use coefficient | It has a much higher high secretiveness than concealing methods in NBB |
| Methods of concealing information in text containers | |||
| Sonic-based concealment method | Based on inseting spaces at the end of the lines, after punctuation signs, between words when aligning the length of the strings | Methods are sensitive to the transfer of text from one format to another. Possible loss of communication. Low secrecy | Quite large bandwidth |
| Calfaction method based on syntactic features of text | It is based on the fact that the rules of punctuation allow for ambiguities when aligning punctuation marks | Very low bandwidth. Completeness of the detection of the message | There is a potential opportunity to choose this method at which highly complex procedures will be required to disclose the message. |
| Synonym-based concealment method | Based on inserting information into text using alternation of words from any synonym group | Complicated in relation to the Russian language due to the large variety of shades in different synonyms | One of the most promising methods. Has a relatively high post post |
| Calfaction method based on error use | It is based on the masking of information bits under natural errors, typos, violations of the rules for writing combinations of vowels and consonants, replacing the Cyrillic to similar in the appearance of Latin letters, etc. | Low bandwidth. Quickly revealed with statistical analysis | Extremely easy to use. High secrecy when analyzing man |
| Calcitectic Generation Based Method | Based on the generation of a text container using a set of proposals for the rules. Symmetric cryptography is used | Low bandwidth. Maturelessness of the created text | Secrecy is determined by encryption methods and, as a rule, quite high |
| The concealment method based on the use of font features | Based on inserting information due to changes in the type of font and letter size, as well as on the possibility of embedding information in blocks with unknown for browser identifiers | Easily detected when the scale of the document is converted, with statistical stewardy | High coefficient of use of container |
| Calfaction method based on the use of document code and file | Based on posting information in reserved and unused fields of variable length | Low secrecy with a known file format | Easy to use |
| Calfaction method based on the use of jargon | Based on changing words | Low bandwidth. Nerco specialized. Low secrecy | Easy to use |
| Calfaction method based on the use of alternation of words | Based on the generation of text - container with the formation of words of a certain length according to the known coding rule | The complexity of the formation of the container and the message | Sufficiently high secrecy when analyzing man |
| Calfaction method based on the use of the first letters | Based on the introduction of the message in the first letters of the words of the text with the selection of words | The complexity of the compilation of the message. Low secrecy message | Gives greater freedom to choose an operator inventing a message |
| Methods of concealing information in graphic containers | |||
| The method of concealment in the smallest significant bits | Based on posting messages to the smallest significant bits of the original image | Low secrecy message transfer. Low distortion resistance | Sufficiently high container capacity (up to 25%) |
| Calfaction method based on the modification of the index submission format | Based on reduction (replacement) Color palette and ordering colors in pixels with adjacent numbers | It is used mainly to compressed images. Low power transmission post | Reparatively high container capacity |
| Calfaction method based on the use of autocorrelation function | Based on the search using the autocorrelation function of areas containing similar data | Completion complex | Resistance to most nonlinear container transformations |
| Calfaction method based on the use of nonlinear modulation of an embedded message | Based on the modulation of the pseudo-random signal to the signal containing the hidden information | ||
| Calfaction method based on the use of the iconic modulation of the embedded message | Based on the modulation of the pseudo-random signal by a bipolar signal containing the hidden information | Low detection accuracy. Distortions | Sufficiently high secrecy message |
| Wavelet-conversion-based concealment method | Based on the peculiarities of wavelet transformations | Completion complex | High secretion |
| Calfaction method based on the use of discrete cosine transformation | Based on the features of the discrete cosine transformation | Completeness calculation | High secretion |
In unconventional information channels based on the manipulation of various characteristics of the resources of the CDN, are used to transmit some shared resources. At the same time, in the channels using time characteristics, modulation of the employment time of a shared resource (for example, modulating processor employment time, applications can exchange data).
In memory channels, the resource is used as an intermediate buffer (for example, applications can exchange data by placing them in the names created files and directory). In the channels of databases and knowledge use dependencies between the data that occur relational bases Data and knowledge.
Non-traditional information channels can be formed at various levels of idle:
at the hardware level;
at the level of microcodes and device drivers;
at the level of the operating system;
at the level of application software;
at the level of functioning of data transmission channels and communication lines.
These channels can be used both for hidden transmission of copied information and secret commands for the execution of destructive actions, launch applications, etc.
To implement the channels, as a rule, it is necessary to implement a software or software and hardware bookmark in an automated system that ensures the formation of a non-traditional channel.
The unconventional information channel can exist in the system continuously or activated one-time or on specified conditions. In this case, the existence of feedback with the subject of the NSD is possible.
5.7. General characteristics of the results of unauthorized or accidental accessThe implementation of threats of NSDs to information can lead to the following types of its security violation:
confidentiality violation (copying, unlawful distribution);
Impaired integrity (destruction, change);
violation of availability (blocking).
Privacy disorder can be implemented in the event of information leakage:
copying it to alienated media;
transmission of it through data channels;
when viewing or copying it during the repair, modification and disposal of software and hardware;
with the "garbage assembly" by the violater during the operation of the CDN.
The violation of the integrity of the information is carried out through the impact (modification) on the programs and user data, as well as technological (system) information, including:
firmware, data and drivers of the computing system devices;
programs, data and drivers devices that provide operating system boot;
programs and data (descriptors, descriptors, structures, tables, etc.) of the operating system;
programs and Application software data;
Special software programs and data;
Intermediate (operational) values \u200b\u200bof programs and data in the process of processing (read / write, receiving / transmitting) by means and devices of computing equipment.
The violation of the integrity of the information into CPF may also be caused by the introduction of a malicious program and hardware program or impact on the information security system or its elements.
In addition, it is possible to effect on technological network information, which can ensure the functioning of various means of controlling the computing network:
network configuration;
addresses and route data transfer on the network;
functional network control;
security of information on the network.
The violation of the availability of information is provided by forming (modifying) of the source data, which when processing causes incorrect operation, equipment failures or capture (loading) of the system computing resources that are needed to perform programs and equipment operation.
These actions can lead to violation or failure of the functioning of almost any technical means CADN:
information processing;
information I / O information;
information storage media;
Equipment and transmission channels;
information security tools.
Necessary for virus writers and cyber criminals task is to introduce a virus, worm or Trojan program in a sacrifice computer or mobile phone. This goal is achieved in various ways that are divided into two main categories:
- social Engineering (also used the term "social engineering" - tracing with English "Social Engineering");
- technical techniques for the introduction of malicious code into an infected system without a user's knowledge.
Often these methods are used simultaneously. At the same time, special measures are used to counter anti-virus programs.
Social engineering
Methods of social engineering in one way or another make the user run the infected file or open the link to the infected website. These methods are applied not only by numerous postal worms, but also by other types of malicious software.
The task of hackers and virus writers - to attract the user's attention to the infected file (or HTTP link to the infected file), interest the user, make it click on the file (or on the link to the file). The "classic of the genre" is the Loveletter postwall in May 2000, still retaining leadership on the scale of financial damage caused, according to Computer Economics data. The message that the worm was displayed on the screen, looked like this:
On the recognition "I Love You" reacted very many, and as a result mail Servers Large companies could not withstand the load - the worm sent their copies on all contacts from the address book each time the invested VBS file is opening.
The mail worm of MyDoom, "rushing" on the Internet in January 2004, used texts that simulate the technical messages of the mail server.
It is also worth mentioning the SWEN worm, who issued himself for the message from Microsoft and masked under a patch that eliminates a number of new vulnerabilities in Windows (it is not surprising that many users succumbed to setting the "next compartment from Microsoft").
There are also cases, one of which occurred in November 2005. In one of the versions of the worm Sober, it was reported that the German criminal police investigate the cases of visiting illegal websites. This letter fell to a fan of child pornography, who took it for the official letter - and obediently surrendered to the authorities.
Recently, not popularity has been made in the letter invested in the letter, but links to files located on the infected site. The message is sent to the potential victim - postal, via ICQ or another pager, less often - through IRC Internet chats (in the case of mobile viruses, an SMS message is used in the usual delivery method). The message contains any attractive text that makes the unsuspecting user click on the link. This method Penetrations in the sacrifice computers today is the most popular and effective, since it allows you to bypass vigilant anti-virus filters on email servers.
The possibilities of file sharing networks (P2P network) are also used. The worm or the Trojan program is laid out in the P2P network under a variety of "delicious" names, for example:
- AIM & AOL PASSWORD HACKER.EXE
- Microsoft CD Key Generator.exe
- Pornstar3d.exe.
- play Station Emulator Crack.exe
In the search for new programs, users of P2P networks are stumbled into these names, download files and run them to execute.
Also popular "wiring", when the victim applies a free utility or instructions for hacking various payment systems. For example, offer to get free internet access or cellular operator, download credit card number generator, increase the amount of money in a personal internet wallet, etc. Naturally, victims of such fraud are unlikely to go to law enforcement agencies (after all, in fact, they themselves tried to earn a fraudulent way), and Internet-criminals are used by this.
The unusual way of "wiring" used an unknown attacker from Russia in 2005-2006. The Trojan program was sent to the addresses found on the Job.ru website specializing in employment and search for personnel. Some of those who published their resumes there, received an alleged proposal to work with a file invested in a letter, which was proposed to open and familiarize themselves with its contents. The file was, of course, the Trojan program. It is also interesting that the attack was carried out mainly on corporate postal addresses. Calculation, apparently, was built on the fact that employees of companies are unlikely to report the source of infection. So it happened - the Kaspersky Lab specialists for more than six months could not get intelligible information about the method of penetrating the Trojan Program in users' computers.
There are also fairly exotic cases, for example, a letter with an invested document, in which the Bank's client is asked to confirm (or rather - to report) their access codes - print the document, fill out the attached form and then send it by fax to the phone number specified in the letter.
Another unusual delivery case spyware program "To the house" occurred in Japan in the fall of 2005. Some attackers sent the CDs infect with Trojan spy to home addresses (city, street, house) of clients of one of the Japanese banks. At the same time, information was used from a pre-stolen client base of this bank itself.
Technology implementation
These technologies are used by intruders to implement the malicious code in the system is secretive, not attracting the attention of the owner of the computer. It is carried out through vulnerabilities in the security system of operating systems and in software. The presence of vulnerabilities allows a network worm-made network worm or a Trojan program to penetrate the sacrifice and independently launch itself.
Vulnerabilities are essentially errors in code or in the logic of the work of various programs. Modern operating systems and applications have a complex structure and extensive functionality, and it is simply impossible to avoid errors in their design and development. This is used by viruses and computer intruders.
Vulnerabilities B. postal customers Outlook used Nimda and Aliz postal worms. In order to start the worm file, it was enough to open an infected letter or simply to bring the cursor on it in the preview window.
Also, malicious programs have actively used vulnerabilities in the network components of operating systems. For its distribution, worms of Codered, Sasser, Slammer, Lovesan (Blaster) and many other worms running under Windows used such vulnerabilities. Under the blow and the Linux Systems - worms Ramen and Slapper have penetrated computers through vulnerabilities in this operating environment and applications for it.
In recent years, one of the most popular methods of infection has become the introduction of malicious code through web pages. It is often used vulnerabilities in Internet browsers. The web page is placed in advance file and script program that uses vulnerability in the browser. When the user arrives at the infected page, the script program is triggered, which vulnerability downloads the infected file to the computer and starts it there for execution. As a result, to infect a large number of computers, it is enough to lure as much as possible of users to such a web page. This is achieved in various ways, for example, sending spam with the address of the page, sending similar messages through Internet pagers, sometimes even search engines use for this. On the infected page there is a varied text, which sooner or late is checked by search engines - and the link to this page is in the list of other pages in the search results.
A separate class is the Trojan programs that are designed to download and launch other Trojan programs. Usually, these Trojans who have a very small size, one way or another (for example, using the next vulnerability in the system) "fit" on the sacrifice computer, and then independently roll out from the Internet and establish other malicious components to the system. Often such Trojans change the browser settings to the most unsafe to "facilitate the road" to other Trojans.
The vulnerabilities of which become known are quite promptly corrected by developers, but information on new vulnerabilities are constantly appearing, which are immediately beginning to be used by numerous hackers and viruses. Many Trojan "bots" use new vulnerabilities to increase their numbers, and new errors in Microsoft Office immediately begin to be used to introduce regular Trojan programs to computers. At the same time, unfortunately, there is a tendency to reduce the temporary gap between the appearance of information on the next vulnerability and the beginning of its use of the worms and the Trojans. As a result, manufacturers of vulnerable software and developers of antivirus programs are in the situation of zeietic. The first must be fixed as quickly as possible, test the result (usually called a "patch", "patch") and send it to users, and the second is to immediately release the detection tool and blocking objects (files, network packets) using vulnerability.
Simultaneous use of technologies for the implementation and methods of social engineering
Quite often, computer intruders are used at once both methods. The social engineering method is to attract the attention of a potential victim, and technical - to increase the likelihood of the penetration of the infected object into the system.
For example, MiMail's postal worm spread as an attachment in email. In order for the user to pay attention to the letter, a specially decorated text is inserted into it, and to start a copy of the Worm from the ZIP archive attached to the letter - vulnerability in internet Browser Explorer. As a result, when opening a file from the archive, the worm created a copy on the disk and started it on execution without any system warnings or additional actions of the user. By the way, this worm was one of the first, intended for theft personal information Internet wallet users E-GOLD system.
Another example is the spam mailing with the "Hi" and the text "see what they write about you." The text followed the link to a certain web page. When analyzing it turned out that this web page contains a script program that, using another vulnerability in Internet Explorer., Loads the LDPinch Trojan program to the user, intended for theft of various passwords.
Countering antivirus programs
Since the goal of computer intruders is to introduce malicious code in victim computers, then for this they need not only to force the user to start a contaminated file or enter the system through any vulnerability, but also imperceptibly slip by the installed antivirus filter. Therefore, it is not surprising that the attackers are purposefully struggling with antivirus programs. The technical techniques used are very diverse, but most often the following are found:
Packing and encryption code. A significant part (if not most) of modern computer worms and Trojan programs are packaged or encrypted in one way or another. Moreover, computer undercurrent is created specifically for this designed packaging and encryption utilities. For example, malicious turned out to be absolutely all the files treated with Cryptexe, Exeref, Polycrypt utilities and some others.
To detect such worms and Trojans, anti-virus programs have to either add new methods of unpacking and decryption, or add signatures for each sample of a malicious program, which reduces the quality of detection, since all possible modified code samples are in the hands of the anti-virus company.
Code mutation. Dilution of the Trojan code "trash" instructions. As a result, the functions of the Trojan program remains, but it changes significantly " appearance" Cases occur periodically when the code mutation occurs in real time - with each download of the Trojan program from the infected website. Those. All or a significant part of the Samples of the Trojan falling from such a site are different. An example of the application of this technology is the mail worm of Warezov, several versions of which caused significant epidemics in the second half of 2006.
Hiding its presence. The so-called "rootkit technologies" (from the English "Rootkit), commonly used in Trojan programs. The interception and substitution of system functions is carried out, thanks to which the infected file is not visible, neither by regular means of the operating system nor antivirus programs. Sometimes the registry branches are also hidden in which a copy of the Trojan, and other system areas of the computer are recorded. These technologies are actively used, for example, Trojan-backdoor HACDEF.
Stopping the work of antivirus and the system for obtaining updates of antivirus bases (updates). Many Trojan programs and network worms take special actions against anti-virus programs - looking for them in the list of active applications and try to stop their work, spoil antivirus databases, block the receipt of updates, etc. Antivirus programs have to protect themselves with adequate ways - monitor the integrity of the databases, hide their processes from the Trojans, etc.
Hiding your code on websites. Addresses of web pages on which Trojan files are present, sooner or later, antivirus companies become known. Naturally, such pages fall under close attention of anti-virus analysts - the contents of the page periodically downloads, new versions of Trojan programs are recorded in antivirus updates. To counteract this, the web page is modified in a special way - if the request goes from the address of the anti-virus company, then some nucleani file is downloaded instead of Trojan.
Attack quantity. Generation and distribution on the Internet large number New versions of Trojan programs in a short period of time. As a result, anti-virus companies are "risen" with new samples, which requires the time to analyze the time, which gives an attachable code an additional chance for successful introduction into computers.
These and other methods are used by computer underground to counteract antivirus programs. At the same time, the activity of cybercriminals is growing year after year, and now we can talk about the present "technologies race", which turned between the anti-virus industry and the viral industry. At the same time, the number of individual hackers and criminal groups, as well as their professionalism, is growing. All this together greatly increases the complexity and amount of work necessary for antivirus companies to develop sufficient levels.
Software-mathematical impact is an impact with the help of malicious programs. The program with potentially hazardous consequences or malicious program is called some independent program (set of instructions), which is capable of performing any non-empty subset of the following functions: · Hide signs of its presence in the software midcomptees; · Have the ability to self-adjustment, associate yourself with straight programs and (or) transfer of their fragments to other areas of operational or external memory; · to destroy (distort an arbitrary) code of programs of procratic memory; · To perform without initiating from the user (user program in the standard execution mode) destructive functions (copying, destruction, blocking, and the like .); · Save fragments of information from RAM in SOULDERS OF EXTERNAL MEMORY OF RIGHT ACCESS (LOCAL OR REMANED); · To distort an arbitrary manner, block and (or) change-free into the outer memory or in the communication channel, an array of information formed as a result of applied programs, or already located In the external memory of the data array.Malicious programs can be made (implemented) both deliberately and randomly in the software used in the DESIGN, in the process of its development, accompaniment, modifications and settings. In addition, malware can be made during the operation of the CDN from external media or by network interaction both as a result of NSDs and by random users of CAD.
Modern malicious programs are based on the use of vulnerabilities of various kinds of software (systemic, general, applied) and various network technologies, possess a wide range of destructive capabilities (from unauthorized study of the parameters of the PDN without interference in the functioning of CDN, before the destruction of PDNs and Software CDN) and may Act in all types of software (system, applied, in hardware drivers, etc.).
The presence of malicious programs may contribute to the occurrence of hidden, including non-traditional access channels to information that allow you to open, bypass or block the protective mechanisms provided for in the system, including password and cryptographic protection.
The main types of malicious programs are:
· Software bookmarks;
· Classic software (computer) viruses;
· Malicious programs propagating over the network (network worms);
· Other malicious programs intended for the implementation of the NSD.
Software bookmarks include programs, code fragments, instructions that form non-declared software capabilities. Malicious programs can move from one species to another, for example, a software laying can generate a software virus, which, in turn, hitting the network conditions, can form a network worm or other malicious program designed to implement a NSD.
A brief description of the main malicious programs is reduced to the following. Booting viruses write themselves either to the boot sector of the disk (boot sector) or in the sector containing the Master Boot Record) or change the pointer to the active boot sector. They are introduced into the computer's memory when loading from an infected disk. In this case, the system loader reads the contents of the first sector of the disk from which the download is made, puts reading information into memory and transfers to it (i.e., the virus) control. After that, the virus instructions are started, which, as a rule, reduces the amount of free memory, copies its code to the vacated place and reads its continuation from the disk (if there is), intercepts the necessary interrupt vector (usually int 13h), reads the original memory Boot sector and transmits control to it.
In the future, the boot virus behaves in the same way as the file: intercepts the access of the operating system to the disks and infects them, depending on some conditions it makes destructive actions, causes sound effects or video effects.
The main destructive actions performed by these viruses are:
· Destruction of information in sectors of floppy disk and hard drive;
· Exclude the possibility of loading the operating system (the computer "freezes");
· Distortion of the loader code;
· Formatting of diskette or logical disks of the hard drive;
· Closing access to COM and LPT ports;
· Replacing symbols when printing texts;
· Screen twitching;
· Change the label of the disk or floppy disk;
· Creating pseudo-free clusters;
· Creating sound and (or) visual effects (for example, drop
letters on the screen);
· Sick data files;
· Displays a variety of messages;
· Disconnect peripheral devices (for example, keyboard);
· Change the screen palette;
· Fill the screen with outsters or images;
· Screen repayment and translation in the idle mode from the keyboard;
· Encryption sectors of hard drive;
· Selective destruction of characters displayed on the screen when set from the keyboard;
· Reducing RAM;
· Changing the printing of the screen of the screen;
· Blocking records on the disk;
· Discontailing a partition table (Disk Partition Table), after that, the computer can be downloaded only from the floppy disk;
· Blocking the start of executable files;
· Blocking access to the Winchester.
|
Figure 3. Classification of software viruses and network worms
Most bootable viruses overwrite themselves on floppy disks.
Overwriting infection method is the most simple: the virus records its code instead of the code of the infected file, destroying its contents. Naturally, while the file stops working and is not restored. Such viruses very quickly detect themselves, as the operating system and applications are pretty quickly stopped working.
The category "Companion" includes viruses that do not change contaminated files. The algorithm of the work of these viruses is that a double file is created for the contaminated file, and when the infected file is started, the control receives this twin, that is, the virus. The most common companyon viruses using the DOS feature to first execute files with the extension.com, if there are two files with the same name in one directory, but by various names of the name - .com i.exe. Such viruses create satellite files for EXE files, which have the same name, but with extension.com, for example, the XCOPY.COM file is created for the xcopy.exe file. The virus is recorded in the COM file and does not change the EXE file. When you start such a DOS file, the first will detect and execute the COM file, that is, the virus that will then start and the EXE file. The second group makes viruses that, when infected, rename the file into any other name, remember it (for the subsequent launch of the host file) and write its code to the disk under the name of the infected file. For example, the xcopy.exe file is renamed to xcopy.exd, and the virus is written under the name xcopy.exe. When starting, the control receives the virus code, which then starts the original XCOPY stored under the name xcopy.exd. Interesting is the fact that this method works, apparently, in all operating systems. The third group includes the so-called "Path-Companion" viruses. They either write their code under the name of the infected file, but "above" one level in the proposed paths (DOS, so the first will be first detected and launches the virus file), or tolerate the sacrifice file to one subdirectory above, etc.
It is possible to exist and other types of companion viruses using other original ideas or features of other operating systems.
File worms (Worms) are, in a sense, a type of companyon viruses, but in no way they do not associate their presence with any file being executed. In reproduction, they only copy their code into any disk catalogs in the hope that these new copies will ever run by the user. Sometimes these viruses give their copies of "special" names to push the user to launch their copies - for example, install.exe or winstart.bat. There are Wormi viruses that use fairly unusual techniques, for example, recording their copies in the archives (ARJ, ZIP and others). Some viruses record the launch of an infected file in BAT files. Do not confuse CHERVI file viruses with network worms. The first only use the file functions of any operating system, the second in their reproduction uses network protocols.
Link viruses, like companion-viruses, do not change the physical contents of the files, but when the infected file is started, the OS software execute your code. These goals they reach the modification of the necessary file system fields.
Viruses, infecting libraries of compilers, object modules and source texts of programs are quite exotic and practically not common. Viruses, infecting OBJ- and LIB files, write their code in them in the format of the object module or library. The infected file is thus not performed and is not capable of further spreading the virus in its current state. The carrier of the "living" virus becomes a com- or exe file.
Having received the control, the file virus performs the following general actions:
· Checks RAM for its copy and infects
computer memory if a copy of the virus is not found (if the virus is a resident), searches for unimpressed files in the current and (or) root directory by scanning the logical disk directories, and then infects detected files;
· Performs additional (if any) functions: destructive
actions, graphic or sound effects, etc. (additional functions of the resident virus can be called after a while after activation, depending on the current time, the system configuration, internal virus counters or other conditions, in this case the virus when activating processes the status of the system clock, sets its counters, etc.);
· Returns the management of the main program (if it is).
It should be noted that the faster the virus is spread, the more likely the occurrence of the epidemic of this virus, the slower the virus is spread, the more difficult to detect it (if, of course, this virus is unknown). Non-resident viruses are often "slow" - most of them are infected with one or two or three files when starting and does not have time to float the computer before launching the antivirus program (or the appearance of a new version of the antivirus configured to this virus). There are, of course, non-resident "fast" viruses, which are looking for and infecting all files, but such viruses are very noticeable: when you start each infected file, the computer has some (sometimes long enough) the time actively works with the hard drive, which demasses the virus. The speed of distribution (infection) at resident viruses is usually higher than non-resident - they infect files with any appeals to them. As a result, all the files that are constantly used in operation are infected on the disk. The speed of distribution (infection) of resident file viruses infecting files only when they started to execute, will be lower than that of viruses infecting files and when they open, renamed, changing the file attributes, etc.
Thus, the main destructive actions performed by the file viruses are associated with the defeat of the files (more often executable or data files), unauthorized launch of various commands (including formatting, destruction, copying commands, etc.), changing the table of interrupt vectors and Dr. At the same time, many destructive actions similar to those indicated for boot viruses can be performed.
Macroviruses (Macro Viruses) are languages \u200b\u200b(macro-language) embedded in some data processing systems (text editors, spreadsheets, etc.). For its reproduction, such viruses use the capabilities of macro-languages \u200b\u200band with their help transfer themselves from one infected file (document or table) to others. Macroviruses were most common for Microsoft Office Application Package.
For the existence of viruses in a specific system (editor), it is necessary to build a built-in macro-language with capabilities:
1) program bindings on macro-language to a specific file;
2) copy macroprograms from one file to another;
3) obtaining the management of the macro program without user intervention (automatic or standard macros).
These conditions are satisfied with Microsoft Word, Excel and Microsoft Access applications. They contain macromasics: Word Basic, Visual Basic for Applications. Wherein:
1) Macrograms are tied to a specific file or are inside the file;
2) macro-language allows you to copy files or move macroprograms to system service files and editable files;
3) When working with a file under certain conditions (opening, closing, etc.), macro frames are called (if any), which are defined in a special way or have standard names.
This feature of macro-language is intended for automatic data processing in large organizations or in global networks and allows you to organize the so-called "automated document management". On the other hand, macro-language capabilities of such systems allow the virus to transfer their code to other files and thus infect them.
Most macroviruses are active not only at the time of opening (closing) of the file, but as long as the editor itself is active. They contain all their functions in the form of standard Word / Excel / Office macros. There are, however, viruses that use receptions of hiding their code and storing their code in the form of not macros. There are three such receptions, they all use the ability to create, edit and execute other macros. As a rule, similar viruses have a small (sometimes polymorphic) macro of the virus, which causes the built-in macro editor, creates a new macro, fills it with the basic code of the virus, performs and then, as a rule, destroys (to hide the traces of the virus presence). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or stored in the area of \u200b\u200bthe variables of the document.
Network includes viruses that are actively using protocols and possibilities of local and global networks for their distribution. The main principle of the network virus is the ability to independently transfer your code to a remote server or workstation. "Full-fledged" network viruses have also the ability to run their code on a remote computer or at least "push the user to launch an infected file.
Malicious programs that ensure the implementation of the NSD may be:
· Programs of selection and opening passwords;
· Programs that implement threats;
· Programs demonstrating the use of non-declared capabilities of software and software and hardware CDM;
· Computer virus generator programs;
· Programs demonstrating security vulnerabilities
information, etc.
Due to the complication and increasing diversity of software, the number of malicious programs is rapidly increasing. Today more than 120 thousand signatures of computer viruses are known. At the same time, not all of them represent a real threat. In many cases, the elimination of vulnerabilities in system or application software led to the fact that a number of malicious programs are no longer able to implement in them. Often the main danger represent new malicious programs.
Classification of violators
On the basis of belonging to dodge, all violators are divided into two groups:
External violators - individuals who do not have the right to stay on the territory of the controlled zone, within which equipment is impatient;
Internal violators - individuals who have the right to stay on the territory of the controlled zone, within which equipment is imposed.
External violator
As an external information security violator, a violator is considered, which has no direct access to the technical resources and resources of the system within the controlled zone.
It is assumed that the external violator cannot affect the protected information on leakage technical channels, since the amount of information stored and processed into the dwells is insufficient for the possible motivation of the external violator to carry out actions aimed at leakage of information on the leakage channels.
It is assumed that the external intruder can affect the protected information only during its transfer through communication channels.
Internal violator
The possibilities of the internal impairment are significantly dependent on the restrictive factors currently operating within the controlled zone, of which the maintenance of a complex of organizational and technical measures, including the selection, arrangement and provision of high training personnel, to the admission of individuals inside the controlled zone and control of the procedure work aimed at preventing and preventing unauthorized access.
Access System Distribution Distribution System Cells provides a delimitation of user rights to access information, software, hardware and other resources, in accordance with the adopted information security policy (rules). To the internal violators may relate (table):
Administrators of specific subsystems or databases of the Category II);
Users who are external relative to the specific AC (Category IV);
Persons with the ability to access the data transmission system (Category V);
ORD employees with authorized access to the premises in the premises, in which the elements are impatient, but not having access to them (Category VI);
Service personnel (security, engineering and engineering workers, etc.) (category VII);
Authorized personnel of the developers of the CDN, which is on a contractual basis has the right to maintenance and the modification of the components of the Code (category VIII).
The faces of categories I and II are assigned tasks for administering software and hardware and databases of the Database for integration and ensure the interaction of various subsystems that are part of the CDN. Administrators can potentially implement the threats of IB, using the possibilities for direct access to the protected information processed and stored in the dwell, as well as to technical and software Caiden, including the means of protection used in specific ac, in accordance with the administrative authority established for them.
These persons are well familiar with the main algorithms, protocols implemented and used in specific subsystems and the insecurity as a whole, as well as with the applicable principles and concepts of security.
It is assumed that they could use standard equipment either to identify vulnerabilities or for the realization of IB threats. This equipment can be as part full-timeand may relate to easily obtained (for example, software obtained from publicly accessible external sources).
In addition, it is assumed that these persons could have specialized equipment.
Persons Categories I and II, in view of their exceptional role, a complex of special organizational and regime measures should be applied to their selection, employment, appointment and control of the fulfillment of functional duties.
It is assumed that only trusted persons will be included in the number of categories I and II and therefore, these persons are excluded from the number of probable violators.
It is assumed that the faces of categories III-VIII refer to probable violators.
The possibilities of the internal impairment are significantly dependent
from the regime valid within the controlled zone
and organizational and technical measures of protection, including the admission of individuals to PDNs and control of the procedure for conducting work.
Domestic potential violators are divided into eight categories, depending on the access method and permissions to access to PDNs.
State Services Personal Account
State Supervisory Cabinet- Entrance on SNILS and Telephone
Single telephone rescue service in the Russian Federation