• Choose a category
• All
• Classic-Fiction

The best preventive measure for Trojan horses is to not allow them entry into your system. Immediately before and after you install a new software program or operating system, back it up! If you suspect a Trojan horse, you can reinstall the original programs, which should delete the Trojan horse. A port scan may also reveal a Trojan horse on your system. If an application opens a TCP or UDP port that isn’t regularly used in your network, you can notice this and begin corrective action.

Is a Trojan horse also a virus? A Trojan horse is anything that sneaks in under the guise of something else. Given that general definition, it’s certainly possible that a virus can (and usually does) sneak in, but this description most often fits the definition of a companion virus. The primary distinction, from an exam perspective, is that with a Trojan horse you always intentionally obtained something (usually an application) and didn’t know an unpleasant freeloader was hidden within. An example is spyware, which is often installed (unknown to you) as part of another application.

Logic Bombs

Logic bombs are programs or snippets of code that execute when a certain predefined event occurs. A bomb may send a note to an attacker when a user is logged on to the Internet and is using a word processor. This message informs the attacker that the user is ready for an attack.

Figure 2.20 shows a logic bomb in operation. Notice that this bomb doesn’t begin the attack but tells the attacker that the victim has met the needed criteria or state for an attack to begin. Logic bombs may also be set to go off on a certain date or when a specified set of circumstances occurs.

In the attack depicted in Figure 2.20, the logic bomb sends a message back to the attacking system that it has loaded successfully. The victim system can then be used to initiate an attack such as a DDoS attack, or it can grant access at the time of the attacker’s choosing.

FIGURE 2.20 A logic bomb being initiated

Worms

A worm is different from a virus in that it can reproduce itself, it’s self-contained, and it doesn’t need a host application to be transported. Many of the so-called viruses that have made the papers and media were, in actuality, worms and not viruses. However, it’s possible for a worm to contain or deliver a virus to a target system.

The Melissa virus (which was actually a worm) spread itself to more than 100,000 users in a relatively short period when it first came out, according to CERT. One site received more than 32,000 copies of the Melissa virus in a 45-minute period.

Worms by their nature and origin are supposed to propagate and will use whatever services they’re capable of to do that. Early worms filled up memory and bred inside the RAM of the target computer. Worms can use TCP/IP, e-mail, Internet services, or any number of means to reach their target.

Antivirus Software

The primary method of preventing the propagation of malicious code involves the use of antivirus software. Antivirus software is an application that is installed on a system to protect it and to scan for viruses as well as worms and Trojan horses. Most viruses have characteristics that are common to families of virus. Antivirus software looks for these characteristics, or fingerprints, to identify and neutralize viruses before they impact you.

More than 60,000 known viruses, worms, bombs, and other malicious code have been defined. New ones are added all the time. Your antivirus software manufacturer will usually work very hard to keep the definition database files current. The definition database file contains all of the known viruses and countermeasures for a particular antivirus software product. You probably won’t receive a virus that hasn’t been seen by one of these companies. If you keep the virus definition database files in your software up-to-date, you probably won’t be overly vulnerable to attacks.

The best method of protection is to use a layered approach. Antivirus software should be at the gateways, at