Parasitic Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged, but appends to the host in such a way that the virus code is executed first.Hardware and Peripheral Security Risks
There are security risks to almost any system. Any computer, network, or device that can communicate with other technologies either allows software to be installed or is accessible to groups of people and, therefore, faces an increasing number of potential threats. The system may be at risk of unauthorized access, disclosure of information, destruction or modification of data, code attacks through malicious software, or any number of other risks discussed in this book.
Some of the most common threats to systems come in the form of malicious software, which is commonly referred to as malware. Malware programs are carefully crafted, written, and designed by attackers to compromise security and/or do damage. These programs are written to be independent and do not always require user intervention or for the attacker to be present for their damage to be done. Among the many types of malware, the ones we will look at in this chapter are viruses, worms, Trojan horses, spyware, adware, logic bombs, and rootkits.
Every year, an increasing number of devices are at risk. The communication methods and functionality traditionally associated with computers have expanded over the years, moving from stand-alone computers to networks to mobile devices. The core components of a computer, like the basic input/output system (BIOS), can be compromised, and the data stored on network and removable devices can be stolen, corrupted, or destroyed. In addition, there are other technologies that can be threatened by attacks and malicious software. Every year more Universal Serial Bus (USB) devices are introduced into the market, and these devices can either be used to disseminate malicious code or be damaged by attacks, while software installed on cell phones can be just as vulnerable to viruses as programs running on computers. Preparing for potential threats requires understanding what devices exist in your organization and taking the appropriate steps to ensure their security.
In terms of computers and networks, security is the process of protecting systems and data from unauthorized access, from malicious users and software, and from other threats that could result in the loss of integrity, damage, or loss of data and equipment. Securing systems requires safeguarding not only data but also the equipment on which this information resides on and is transmitted across. To do this, companies may incorporate a wide variety of security measures, including cameras to monitor and prevent damage and theft of computers, peripherals, media, and other technology. They will also hire professionals with a level of expertise in using firewalls and other software to protect data.
Threats can come from internal and external sources, and both can be equally dangerous. System administrators commonly deal with external threats, but may overlook an organization’s internal threats. While it’s important to set up firewalls to protect against hackers and virus-infected file attachments in e-mail, this action would do nothing against a disgruntled or uneducated employee who could insert a USB flash drive into a computer and release a virus or unwittingly install a program that sends sensitive information to a third party. When you are protecting an organization against threats, it is important to identify the sources so that you can then set up appropriate countermeasures.
There are many reasons why these threats exist to various systems. Programming students may merely want to exercise their skills and prove they can write the code that creates a virus, whereas other groups may have a particular agenda in destroying data. Other people may use a variety of tools and skills to gain entry to systems, with some of them simply satisfying the curiosity of wanting to see what they’re not supposed to see. Others will attempt to perform these actions for financial motivation, such as in cases of corporate espionage, blackmail, or other criminal activities. All of these threats have one thing in common, however … it’s up to you to understand and stop them from harming your organization.
Privilege escalation occurs when a user acquires greater permissions and rights than he or she was intended to receive. Of course, network administrators can make mistakes and assign a user greater privilege than originally intended, but the major threat we’ll discuss here comes from software. A user could gain unauthorized access and elevated privileges through bugs or backdoors in programs. Bugs are errors in software, causing the program to function in a manner that wasn’t intended. Backdoors are methods of accessing a system in a manner that bypasses normal authentication methods. For example, a developer may include a backdoor into a program, so that he or she can gain access to an application when it’s being debugged. Unfortunately, if the backdoor remains after the software is released or bugs don’t get fixed, a hacker or other unauthorized user can exploit these vulnerabilities and gain greater access to systems, such as having administrator access to the system.
Preventing privilege escalation from occurring relies on the software developer providing good support, and system administrators being diligent in keeping up-to-date on any security issues and fixes available for software on systems. Programmers need to ensure that after a program has been debugged, any backdoors in the software have been removed. If the software has already been released and a developer discovers any backdoors and/or errors in the code, these need to be reported to the development team so that a patch can be created that will fix the problem. System administrators should check the software vendor’s Web site to see if any patches or security updates are available. These should then be downloaded and installed on systems to fix any problems. For example, Microsoft regularly provides fixes to potential security problems on its Windows Update Web site (http://windowsupdate.microsoft.com), which can automatically scan your computer to identify if there are any patches or updates that need to be applied to Microsoft products.
Malicious software has appeared in many forms over the decades, but the problem has increased as more computers and devices communicate with one another. Before networking became common, a person transferring data needed to physically transport software between machines, often using floppy disks or other removable media. Malicious software could write itself to the media without the user’s knowledge, but the chances of this event occurring in a secure environment was minimal. After all, without networks, data was being passed from one computer within an organization to another, with minimum connectivity to the outside world. Unless an employee wrote malicious code or accidentally acquired one from a vendor or client, there was little chance of being infected. This changed dramatically with the widespread use of networking (especially the Internet), where exploitable vulnerabilities, file sharing, or e-mail attachments make it very easy for malware to disseminate.
There are many different types of malicious code that are written with the intention of causing damage to systems, software, and data. The code may be used to target a particular person or organization, but in most cases, it is a mass attack; whoever comes in contact with it becomes a victim. While we’ll discuss many different types of malicious code in the pages that follow and see how they can wreak havoc on networks and computers, two of the most common forms are viruses and worms.
Head of the Class
Viruses, Worms, and Removal Information
A good resource for keeping up-to-date on the latest threats, risks, and vulnerabilities is Symantec’s Threat Explorer site at www.symantec.com/norton/security_response/threatexplorer/index.jsp. At this site, you can view information on new threats, and browse or search Symantec’s database for information on viruses, worms, and other malicious software. When looking at a particular virus in the database, you’ll find information on how significant a threat the worm or virus is, the technical details about the worm or virus, and information on how to remove the worm or virus from a system.
Viruses are probably the most well-known type of malicious code. A computer virus is defined as a self-replicating computer program that interferes with the hardware, software, or operating system (OS) of a computer. It is code that has the primary purpose of creating a copy of itself that attaches to other files. These code segments contain enough information to replicate and perform other damage, such as deleting or corrupting important files on your system. Like any other computer program, a virus must be executed to function (it must be loaded into the memory of the computer) and then the computer must follow the virus’s instructions. Those instructions constitute the payload of the virus. The payload may disrupt or change data files, display a message, or cause the OS to malfunction.
Using this definition, let’s explore in more depth exactly what a virus does and what its potential dangers are. Viruses spread when the instructions (executable code) that run programs are transferred from one computer to another. A virus can replicate by writing itself to removable media, hard drives, or legitimate computer programs across the local network or even throughout the Internet. One positive aspect is that a computer attached to an infected computer network or one that downloads an infected program does not necessarily become infected. Remember, the code has to actually be executed before your machine can become infected. However, chances are good that if you download a virus to your computer and do not explicitly execute it, the virus may contain the logic to trick your OS into running the viral program. Other viruses exist that have the capability to attach themselves to otherwise legitimate programs. This could occur when programs are created, opened, or even modified. When the program is run, so is the virus.
Let’s take a closer look at the following categories that a virus could fall under and the definitions of each:
Parasitic Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged, but appends to the host in such a way that the virus code is executed first.
Bootstrap sector Bootstrap sector viruses live on the first portion of the disk, known as the boot sector (this includes both hard disks and other removable media). This virus replaces either the programs that store information about the contents of the disk or the programs that start the computer. This type of virus is most commonly spread through the physical exchange of removable media.
Multipartite Multipartite viruses combine the functionality of the parasitic virus and the bootstrap sector viruses by infecting either files or boot sectors.
Companion A companion virus, instead of modifying an existing program, creates a new program with the same name as an already existing legitimate program. It then tricks the OS into running the companion program, which delivers the virus payload.
Link Link viruses function by modifying the way the OS finds a program, tricking it into first running the virus and then the desired program. This virus is especially dangerous, because entire directories can be infected. Any executable program accessed within the directory will trigger the virus.
Data File A data file virus can open, manipulate, and close data files. Data file viruses are written in macro languages and automatically execute when the legitimate program is opened. A well-known type of data file virus is a macro virus, which can be embedded in such files as Microsoft Office documents and spreadsheets.
Hoax Viruses
Hoax viruses are inauthentic warnings of viruses. These hoaxes consist of a warning designed to fool the recipient into believing that the virus is real. Although the viruses aren’t real, they can sometimes be as dangerous as the real thing.
The warnings may provide instructions on how to “remove” the virus, informing the recipient to delete crucial files or make registry changes that may cause the OS or specific programs to fail.
Users who become jaded by hoax viruses may begin to ignore legitimate warnings about real viruses.
In some cases, a known virus hoax may be modified to include a real virus. For example, in March 1997, a hoax warning began to be distributed on America Online advising that an e-mail with the subject “aol4free.com” contained a virus that could delete files from your hard disk. This e-mail warning was a hoax. However, around the same time, someone attached a Trojan horse program named AOL4FREE.COM to the original hoax e-mail. People who believed the e-mail to be a hoax would click the attachment, executing the Trojan which invoked the DOS program DELTREE.exe to delete files from the victim’s hard disk.
Worms are another common type of malicious code, and are often confused with viruses. A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer networks. It can travel across a network from one computer to another, and in some cases, different parts of a worm run on different computers. Worms run automatically within the OSes and software and are invisible to the user. Often, worms aren’t even noticed on systems until the network resources are completely consumed or the victim PC’s performance is degraded to unusable levels.
Some worms not only self-replicate but also contain a malicious payload. As we’ll see later in this chapter when we discuss botnets, some worms will create a backdoor that allows access to the computer. A backdoor is an undocumented and, generally, an unauthorized way of gaining remote access to a computer. Once the system is compromised, the backdoor will listen for commands on a network port, allowing the computer to be accessed by a hacker or controlled by the worm’s creator.
EXAM WARNING A worm can take down a system because it has the capability to replicate itself inside of the memory of the target computer. Once it uses up the memory, the system goes down. Similarly, the replication of worms across a network can use up bandwidth, causing any transmission of legitimate data across the network to slow dramatically.
Hackers create malicious worms that replicate wildly and can also exploit weaknesses in the OS and perform other harmful actions. Their capability to replicate quickly makes them an attractive tool for attackers. There are many ways in which worms can be transmitted, including e-mail, Internet chat rooms, peer-to-peer (P2P) programs, and of course the Internet.
The distinction between viruses and worms has become blurred. Originally, the term worm was used to describe code that attacked multiuser systems (networks), whereas the term virus described programs that replicated on individual computers. However, these attributes are no longer the key factors that discriminate between the two, as both are used for widespread attacks and are commonly disseminated using networks like the Internet. However, while there are similarities between worms and viruses, there are also a number of key differences.
Like a normal virus, worms replicate themselves to spread across the network. However, a virus needs a host application to transport itself, whereas worms are self-contained. For example, a hacker may incorporate a virus in an executable, so that when someone executes the program, that person’s computer becomes infected. A worm, however, will replicate from system-to-system, and duplicates itself by means of computer networks. Worms use the facilities of an OS that are meant to be automatic and invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes the resources of the system, which then slows or halts other tasks.
Whereas a virus intends to damage the system and files stored there, a worm is intended to consume the resources on the system. A worm doesn’t alter the files on a computer, but will replicate to the point that network bandwidth is used up (making the network slow up) and/or use up memory on a machine until it finally shuts down. This results in a server crash that cannot be remedied until the worm has been removed from the system.
TEST DAY TIP On the day of the exam, review the differences between viruses and worms. By understanding the differences, you will be able to identify whether a question is asking you about one or the other, and this knowledge may lead you toward the correct answer.
There are thousands of viruses that have been disseminated over the decades, resulting in innumerable annoying messages and damaged files on people’s computers. To understand some of the elements and damage caused by viruses, let’s look at a couple of the more recent ones:
In July 2008, the Repulik. A virus appeared, and it began infecting computers running Windows 9x, Windows NT, Windows ME, Windows 2000, Windows XP, Windows Server 2003, or Windows Vista. It infects files with the extensions .doc, .pps, .ppt, .rtf, and .xls (that is, Microsoft Office files) and renames the infected files as .vbs. This is the file extension for Visual Basic Script files, meaning that opening one of the infected files will execute the virus’s code. Repulik. A will also copy files to removable drives and rename these drives as “REPVBLIK,” modify MP3 files, and modify the registry.
Another virus that can infect computers running Windows 9x, Windows NT, Windows ME, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista is the W32. Shoren virus. This virus first appeared in March 2009, and infection spreads through executable files that are infected with the virus. Once the virus has infected a file, it is rendered unusable because the virus has prepended itself to the file, thus corrupting the data.
Some of the most infamous viruses that have infected computers on the Internet are actually worms. Using the Internet to move from one computer to another, worms have infected millions of machines and cost billions of dollars in damage to data, lost labor costs, and so on. To understand worms better, it’s worthwhile to look at some of the most infamous ones from previous years:
The SQL Slammer worm in 2003 exploited a known buffer overflow in Microsoft’s SQL Server and Microsoft SQL Server Desktop Engine (MSDE). The worm, in its self-replicating attempts, caused infected machines to generate enormous amounts of traffic. Local networks and the Internet itself slowed down considerably and infected thousands of machines and servers.
The Nimda and Code Red worms in 2001 attacked known vulnerabilities in Microsoft’s Internet Information Server (IIS) Web server. These two worms and their variants replicate themselves on the victim machines and begin scanning the network for additional vulnerable machines. Nimda and Code Red certainly set another precedent for the danger of worms, and they are not harmless. Nimda creates open network shares on infected computers, and it also creates a Guest account with Administrator privileges, thus allowing access to the system and opening it up to whatever a knowledgeable hacker wants to do to it. Code Red (and its variant, Code Red II, which also opened a backdoor for the attacker) defaces Web sites, degrades system performance, and causes instability by spawning multiple threads and using bandwidth.
The Sasser worm in 2004 exploited a known buffer overflow in Microsoft’s Local Security Authority Subsystem Service (LSASS) through port 139, and caused infected machines to spontaneously reboot. It affected networks, including those of Delta Airlines, Goldman Sachs, and the British Coastguard.
The Zotob worm in 2005 used vulnerability in Microsoft Windows’s Plug-and-Play service to spread through networks. It was prominent in that it infected CNN computers and so was reported live on television. A year later, a Moroccan teenager was sentenced for its creation.
Conficker (also known as Downadup) is a worm that first appeared in November 2008, and has infected upwards of 20 million computers including those used by the French Air Force, Royal Navy, and UK Ministry of Defence. The worm exploits a known vulnerability in computers running Windows 9x, Windows NT, Windows ME, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. It can do considerable damage to systems by turning off the automatic backup service, deleting restore points, and disabling security. It is so serious that Microsoft allocated $250,000 as a reward to those who would help the company find the source of the worm.
EXAM WARNING There are thousands of worms, viruses, and other malicious software that can infect your computer. Don’t spend significant time memorizing information about them, as in the exam there won’t be questions that target your knowledge about specific viruses and worms. The information provided here allows you to see what viruses, worms, and other malware can do to your system, and how they work.
From looking at these worms, we note that it is easy to understand that effective protection against many worms is the timely and prompt installation of patches released by software vendors, especially Microsoft because of its market presence. In the case of the Conficker worm, Microsoft had released a patch that would have protected many systems infected by the worm. Unfortunately, only those who downloaded and installed the patch were protected. It is also important to correctly configure firewalls to allow only necessary ports both inbound and outbound: Sasser replicated using Network Basic Input/Output System (NetBIOS) and SQL-Server ports, which should not be allowed exposed outside the enterprise network.
Protection against viruses, worms, and other malicious code usually includes up-to-date antivirus software, a good user education program, and diligent application of the software patches provided by vendors. When network administrators or security professionals take the necessary steps to protect systems, many of the viruses and worms on the market are unable to infect or do significant damage to systems.
Antivirus software applications are designed to detect viruses, worms, and other malware on a computer system. These programs may monitor the system for suspicious activity that indicates the presence of malware, but more often will detect viruses using signature files. Signature files are files that contain information on known viruses, and these files are used by antivirus software to identify viruses on a system. The antivirus software will compare data in files on your system with a dictionary of viral code in the signature files, and use this comparison to identify the presence of a virus. If the signature of a virus (that is, viral code) is found in a file on your system, the antivirus software will then attempt to remove the virus. There are many ways it may attempt to do this, including cleaning the virus from the file (that is, removing the viral code), deleting the infected file, or quarantining the file so that it can’t be used. There are numerous vendors of antivirus software, including the following:
AVG (www.avg.com)
F-Prot Anti-Virus (www.f-prot.com)
McAfee Anti-Virus (www.mcafee.com)
Norton Anti-Virus (www.norton.com) or Symantec (www.symantec.com)
Vendors of antivirus software provide regular updates of signature files, ensuring their software can detect code from the latest viruses. Unfortunately, if a person doesn’t update the signature files, then their antivirus software can’t detect any viruses that came out after the software was initially released. Therefore, it is vital that the antivirus software is updated on a regular basis.
In some cases, a virus or worm may be so difficult to remove that besides running an antivirus software, you may also need to download special removal software or follow specific instructions that are available from the antivirus vendor’s site. When a virus has been detected, it is wise to review the details on the antivirus vendor’s site to determine whether additional actions are required.
User education is an important factor in preventing viruses from being executed and infecting a system. Because a virus is a program, it must be started before it can be loaded into the memory and begin doing the damage. Because the virus requires user interaction to load, it is important for users to be aware that they shouldn’t open attached files that have executable code (such as files with the extension .com, .exe, and .vbs). Users should also avoid opening attachments from people they don’t know. Of course, since viruses and other malware may exploit an e-mail program to forward the virus to everyone in an address book, infected files can be sent from people you know. Therefore, you should verify that the person did send you an attachment, especially in cases where an executable file has been sent.
Updating your system and applying the latest patches and updates are other important factors in protecting your system. In the established security community, when researchers discover a flaw or vulnerability, they report it to the software vendor, and the vendor then typically works on quickly developing a fix to the flaw. The vulnerability (without an exploit) is reported once a fix has been found and is available. Although there are exceptions to this rule, this is the standard operating procedure. However, if hackers discover the flaw, it is possible that an exploit is developed and disseminated through the hacking community before the vendor is aware of the flaw or a patch is developed. Such an exploit is called a zero-day attack, because there is no warning before the attack can take place. The best defenses against zero-day attacks are security devices that can detect attacks without the need for attack signatures.
Another important factor in protecting data is to prepare for the worst. You can prepare for an infection by a virus or worm by creating backups of legitimate original software and data files on a regular basis. These backups will help to restore your system, should that ever be necessary. For the individual user, using Write-Once media (compact disc-recordable [CD-R] or digital video disc-recordable [DVD-R]), and activating the write-protection notch on removable media like a USB disk or a floppy disk will help to protect against a virus on your backup copy. For networks, keeping a series of backups is vital in restoring data to the state it was in prior to being infected.
You can also help to prevent against infection by using only software that has been received from legitimate, secure sources. Always test software on a “test” machine (either not connected to your production network or using a virtual machine) prior to installing it on any other machines to help ensure that it is virus-free.
Notes from the Field
Anyone Want an Infection? For Some, the Answer is Yes!
In 2007, Computer specialist Didier Stevens paid for a Google advertisement that offered to infect a person’s computer with a virus. The advertisement asked, “Is your PC virus-free? Get it infected here!” Surprisingly, over a period of six months, 409 people clicked on the advertisement. Clicking the advertisement took them to a Web site that thanked them for visiting and recorded their visit. Fortunately, no viruses or malware were installed on computers visiting the site, but it does show that some people will click anything, and even the most obvious signs of being infected by a virus may be ignored.
For more information, you can visit Didier Stevens’ blog at http://blog.didierstevens.com/2007/05/07/is-your-pc-virus-free-get-it-infected-here/.
Common File Types That Carry Viruses
There are a number of file types that are commonly used to disseminate viruses. As we’ve mentioned, file types that are susceptible to viruses can be attached to e-mails and sent out to other users in a person’s address book. These files can be compiled programs or contain code that is executed by the OS when the file is opened. Because virus writers target these types of files, it is wise to prevent users from opening certain file types. You can also configure mail servers to remove specific file types from e-mail. As it reaches the mail server, the susceptible file is removed from the e-mail so that the e-mail can be sent to the recipient without the attachment.
File types that are commonly used to distribute viruses include those with the following extensions:
.bat This specifies batch files that will run one or more commands automatically in sequence.
.cmd This specifies batch files that will run one or more commands automatically in sequence.
.com This specifies command files that are binary executables, similar to files with the extension.exe. For example, in Windows you’ll find many executable programs that use the .com extension. It is unrelated to the domain .com used on the Internet. Unfortunately, if a file is received with a name like www.microsoft.com, it can appear to be a Web site link but it will actually execute as a program on the machine.
.doc This specifies Microsoft Word document files, which can contain macro viruses.
.dll This specifies dynamic-link library files that contain programming code that may be used by one or more programs. The functions in these files are executable and can be invoked by commands in other programs or files.
.exe This specifies executable binary files. These are programs that can be loaded into memory, and provide various functions and execute commands automatically or with user intervention.
.htm or .html This specifies Web pages (documents written in Hypertext Markup Language and opened in Web browsers).
.js This specifies scripts written in the JavaScript language and contain programming code that can execute upon opening the file.
.mdb This specifies Microsoft Access database files, which can contain macro viruses.
.scr This specifies screensavers and is commonly used in the dissemination of viruses.
.reg This specifies extracts of Registry settings. Running these files can add or modify registry settings on your computer.
.vbs This specifies scripts written in Microsoft Visual Basic Scripting language and contains programming code that can execute code upon opening the file.
.xls This specifies Microsoft Excel spreadsheets, which can contain macro viruses.
TEST DAY TIP It’s important to know the file types that are most likely to contain a virus. Before taking the exam, review the listing of file types, and understand what these files do.
A Trojan horse closely resembles a virus, but is actually in a category of its own. The Trojan horse is often referred to as the most elementary form of malicious code. A Trojan horse is used in the same manner as it was in Homer’s Iliad; it is a program in which malicious code is contained inside of what appears to be harmless data or programming. It is most often disguised as something fun, such as a game or other application. The malicious program is hidden, and when called to perform its functionality, can actually ruin your hard disk. One saving grace of a Trojan horse, if there is one, is that it does not propagate itself from one computer to another (self-replication is a characteristic of the worm).
A common way for you to become the victim of a Trojan horse is for someone to send you an e-mail with an attachment that purports to do something useful. To the naked eye, it will most likely not appear that anything has happened when the attachment is launched. The reality is that the Trojan has now been installed (or initialized) on your system. What makes this type of attack scary is the possibility that it may be a remote control program. After you have launched this attachment, anyone who uses the Trojan horse as a remote server can now connect to your computer. Hackers have tools to determine what systems are running remote control Trojans, which can include communication over chat networks, e-mails, or Web pages, to alert the hacker that a new system has been infected and is available. After the specially designed port scanner on the hacker’s end finds your system, all of your files are accessible to that hacker.
Although many people get Trojans from programs shared and downloaded from the Internet, viruses can be disseminated using devices that attach to your computer. In February 2008, the Motmex Trojan was found on digital picture frames shipped from China. These frames were sold by many large companies throughout North America, and allowed people to store their images on removable storage, which were then displayed on the frame’s screen. When a person attaches the frame to their computer using a USB cable and activates the Trojan, the computer then becomes infected. The Trojan was able to block many antivirus programs from detecting it, and it was unstoppable by Windows Firewall. However, because people generally don’t scan such removable storage devices with antivirus software, many people wouldn’t have realized their computer was compromised until after the Trojan had infected their computer.
TEST DAY TIP Remember the story of the Trojan horse to help you remember what a Trojan horse is in terms of computer security. A Trojan horse seems to be a legitimate program or file (such as a game, utility, or application) but it actually contains malicious code that will attack your system.
Spyware and adware are two other types of programs that can be a nuisance or malicious software. Both of these may be used to gather information about your computer, or other information that you may not want to share with other parties. In some cases, they may be a platform for distributing other malicious software.
As its name states, spyware is a type of program that is used to track user activities and spy on their machines. They have the capability to scan systems, gather personal information (with or without the user’s permission), and relay that information to other computers on the Internet. The information that is gathered may be used for a variety of purposes, including those with unethical or criminal intentions. Spy-ware has become such a pervasive problem that dozens of antispyware programs have been created. Most spyware programs do not have harmful payloads, and their danger lies in the instability and the consumption of computing resources they cause in the infected systems.
There are a lot of types of spyware in terms of their purpose, their installation method, their collection methods, and so forth. Some spyware will hijack browser settings, changing your home page, or redirect your browser to sites you didn’t intend to visit. Some are used for even criminal purposes, stealing passwords and credit card numbers, sending it to the spyware’s creator. Users may unknowingly download them from Web sites or willingly install the spyware believing it to be something else. But more often than not they are tricked into installing it as it is covertly installed as part of another utility’s installation or installed through the exploitation of vulnerability in the user’s browser. As for the method of collecting information, they can record and inform on Web site browsing history, look for information stored in the file system of the computer, or even log keystrokes looking for passwords.
It is important to compare spyware versus other malware. Spyware usually does not self-replicate, meaning that they need to be installed in each computer they infect. Some spyware programs are well-behaved and even legal. Many spyware programs take the form of browser toolbars and, in some cases, infected machines usually have more than one spyware program installed. As they’re normally linked to browsing activity, they can flood the victim’s desktop with nonstop pop-up windows, many to pornographic sites.
Adware is software that displays advertising while the product is being used, allowing software developers to finance the distribution of their product as freeware (software for which you don’t have to pay for its usage). Legitimate products will display advertising in a section of the application, game, or utility. The developer makes money from the sale of advertisements, and the user gets to use the application for free. The advertising funds the software’s development, and allows users to “try before you buy.” If the user wishes to no longer see the advertisements, he or she can pay for the full version and register the program, or remove the program from their computer.
Despite its positive points, some adware programs can be risky to use. Some include features that are used for gathering information for the purposes of marketing by gathering information on browsing habits. For example, a program might track the sites you’ve visited for marketing or other purposes, and send the information from your computer to an Internet location. In some cases, the pop-up advertisements you receive will be related to the types of sites you’ve visited. This can cause an added security risk, since you have no control over the advertisements being displayed, and don’t know if Web pages used for the advertisements contain or can download something malicious.
Another problem is that adware can cause performance issues. These graphical advertisements may use up bandwidth, and multiple windows opening to show the advertisements can use up memory. Some of these programs may also try to download additional programs that aren’t required for the application to run, or try to hijack browser settings. For example, the application may attempt to download and install toolbars for your Web browser, or try to change the search engine or homepage in your Web browser. Because of these and other reasons that we’ll discuss next, adware has developed a bad reputation that’s synonymous with spyware.
In looking at adware and spyware, we can see that they are two distinctly different types of programs. Adware is a legitimate way for developers to make money from their programs. Although the advertisements may be a nuisance, it allows you to use the software for free and is generally harmless. Spyware, however, is an insidious security risk. Without a person knowing, their computer may be monitored and information may be sent to a third party. This could include personal information, credit card numbers, passwords, or other sensitive data that’s transmitted to an Internet location. While adware displays what someone wants to say, spyware monitors and shares what you do.
Adware and spyware are often confused with one another, mostly because of the overlap between them. Adware may incorporate some elements that track information, but this should only be with the user’s permission. Spyware will send information whether you like it or not. A problem is that while you may believe that you’re using a simple adware program, it may actually be bundled with other programs that run in the background, which may be spyware or malicious software.
There are numerous examples of spyware that have caused significant problems for people, and can be extremely difficult to fully remove once they are installed. Some of these include CoolWebSearch, BargainBuddy, Zango (formerly 180 solutions), and Internet Optimizer. There are also versions that are commercially available, and can be purchased and used by anyone. For example, CYBERsitter (www.cybersitter.com) is a company that has provided Internet filtering software that parents can use to prevent their children from viewing unwanted content on the Internet. One of their products is a controversial spyware tool called Snoopstick, which is available at www.snoopstick.com.
Snoopstick is a suite of tools stored on a flash drive. By plugging it into the USB port of a computer, you can install a hidden program to monitor the computer, or install tools that allow you to do the following:
Connect to a remote computer and monitor a person’s activities.
View logs of a person’s activities, such as Web sites they’ve visited, instant messages, and e-mail a person has sent or received, view screenshots, and so on.
Block the computer from viewing certain Web sites.
Send commands to the remote computer, including having it shut down, restart, log off a person, and disabling a person’s Internet access.
Deny the computer access to certain Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports (such as those used for File Transfer Protocol [FTP], Dynamic Host Configuration Protocol [DHCP], instant messaging, Simple Mail Transfer Protocol [SMTP], or those used by specific programs [such as Apple iTunes]).
As seen in Figure 1.1, Snoopstick provides a user friendly Activity Viewer to connect to another computer and view their activity and modify the settings. While this occurs, the person on the remote computer has no idea their activities are being monitored or possibly having settings reconfigured. Obviously, this can be a serious privacy and security issue in an organization. Although designed as a parental control tool for checking what a child is doing online, it has the potential for causing significant problems for a user who’s unaware he or she is being watched or having the settings of a computer modified.
FIGURE 1.1
Snoopstick Activity Viewer
An example of adware is Qualcomm’s e-mail program Eudora (www.eudora.com). Prior to version 7.1, Eudora was an adware program that allowed users to use a fully functional version without paying for it, so long as they didn’t mind viewing advertisements in the lower left-hand pane of the program. As seen in Figure 1.2, Eudora provided three ways to use its program:
FIGURE 1.2
Eudora Options
Paid Mode A mode in which the person paid for a registration code that allowed them to use all of the program’s features and not see any advertisements.
Sponsored Mode A mode which allowed people to use all of the program’s features without paying, but displayed random paid advertising in the advertisement window, along with sponsored links.
Lite Mode A mode which allowed people to use it for free but provided only a limited set of features.
The graphics and links that appeared in Eudora’s advertisement window were pushed to computers at regular intervals from Qualcomm’s Internet advertisement servers. This allowed only those sponsors who paid to have their advertisements displayed on the computers of potential customers. After years of commercial success with Eudora, in 2006, Qualcomm announced that the e-mail program would become open source after their last commercial version, 7.1. As a result, it would no longer be pushing advertisements to computers running Eudora.
Preventing spyware and adware from being installed on a computer can be difficult, as a person will either give or be tricked into giving permission for the program to install on a machine. For example, a Web site may trick a user into clicking a link that pushes spyware onto the person’s computer, or a person may install a program they want, not realizing that it’s an adware. People need to be careful in the programs they install on a machine, including the following:
Read the end user license agreement (EULA), as a trustworthy freeware program that uses advertising to make money will specifically say it’s an adware. If it says it is, and you don’t want an adware, don’t install it.
Avoid installing file-sharing software, as these are commonly used to disseminate adware/spyware.
Install and/or use a pop-up blocker on your machine, such as the one available with Google Toolbar, MSN Toolbar, or the pop-up blocking feature available in Internet Explorer running on Windows XP SP2 or later. The pop-up blocker prevents browser windows from opening and displaying Web pages that display advertisements or may be used to push spyware to a computer.
Be careful when using your Web browser and clicking on links. If you see a dialog box asking you to download and install an ActiveX control or another program, ensure that it’s something you want to install and that it’s from a reliable source. If you’re unsure, don’t install it.
Use tools that scan for spyware and adware, and can remove any that are found on a machine.
Fortunately, there are a lot of programs available that provide protection against spyware and adware. Many of the antivirus vendors, including those we discussed earlier in this chapter, offer security suites that have the capability to detect and remove malicious software. There are also programs that are specifically designed to scan systems and remove spyware and adware, such as:
Ad-Aware (www.lavasoft.com)
Spyware Doctor (www.pctools.com/spyware-doctor)
Spybot—Search and Destroy (www.safer-networking.org)
As is the case with antivirus programs, you must keep antispyware/antiadware programs up-to-date. Programs like Ad-Aware (seen in Figure 1.3) use signature or definition files, similar to those used by antivirus software, which we discussed earlier. The definitions in these files are compared to files on your system, and used to identify and remove any spyware or adware that is found.
Botnets and rootkits are tools used to exploit vulnerabilities in OSes and other software. Rootkits are software that can be hidden on systems, and can provide elevated privileges to hackers. They are a collection of tools, which are used to gain high levels of access to computers (such as that of an administrator). Even though the rootkit is running on a machine, it may run as a series of processes that makes function calls that filter its appearance on the machine, so that it won’t appear in Task Manager or other tools.
FIGURE 1.3
Ad-Aware Scanning a Computer and Finding a Potential Threat
Bots are a type of program that runs automatically, as robots performing specific tasks without the need for user intervention. For example, a type of bot was developed and used by Google to seek out Web pages and return information about each page for use in their search engine. Unfortunately, while bots can be used for legitimate reasons, they can also be used for malicious purposes. Bots can be installed on a computer without a user being aware of it, accepting commands from a remote user called a bot herder. The bot herder can send simultaneous commands to multiple machines that work together as a network of bots, called a botnet. Using these bots, the bot herder can make the computers perform various actions, such as sending out spam, or simultaneously sending e-mail to a single address or sending a request to a single Web site to cause that server to crash. This is called a denial of service (DoS) attack.
A rootkit is a type of malware that tries to conceal its presence from the OS and antivirus programs in a computer. Its name comes from the UNIX world, where hackers try to keep root-level (superuser) access to a computer long after they infect it. A rootkit can modify the basic blocks of an OS like the kernel or communication drivers, or replace commonly used system programs with rootkit versions. Security researchers have even demonstrated rootkits that install as a virtual machine manager, and then load the victim’s OS as a virtual machine. Such a rootkit would be virtually impossible to detect. Rootkits can make it easy for hackers to install remote control programs or software that can cause significant damage.
NOTE J. K. Rutkowski’s article titled “Execution path analysis: finding kernel based rootkits” provides detailed information on the detection of kernel rootkits. The article is available to view at www.phrack.com/issues.html?issue=59&id=10#article.
The most famous and widespread rootkit infestation happened in 2005, when Sony BMG Music Entertainment used a rootkit to implement copy protection in some of its music CDs. Even worse, other attackers could use the rootkit’s stealth features to hide their own viruses on infected computers. The rootkit was very hard to unin-stall, and according to some researchers, it could have infected over 500,000 computers. Eventually, major antivirus vendors included removal tools for the rootkit, but it was a public relations nightmare for Sony.
Botnets are one of the biggest and best hidden threats on the Internet. Often, a botnet will be installed on a machine as a worm or Trojan horse, and run silently on a person’s machine. The person who controls the botnets is referred to as the bot herder, and he or she can send commands to the bots and receive data (such as passwords or access to other resources) from them. The reason the bot herder does this can vary, ranging from using the bots to store files on other people’s machines, instruct them to send simultaneous requests to a single site in a DoS attack, or for sending out spam mail.
To illustrate how a bot may be used, consider a bot herder who wishes to send spam to large numbers of users. These e-mail messages may claim they’re from e-Bay or another popular site, and request the person to update their personal and credit card information. The bot herder sends out a Trojan horse that infects computers with the botnet. These infected computers are now referred to as agents or zombies, and will automatically log on to a Web server or Internet Relay Chat (IRC) server, which is referred to as the Command and Control (C&C) server. The bot herder can now send messages to the botnets through the C&C server, instructing each of the zombie machines to send out the spam.
The problem with identifying the person responsible is that the e-mail or other data leads back to a victim and not a bot herder. If you traced who sent out the e-mail back to its source, such an e-mail would lead back to the zombie computer, and not the actual bot herder. In other words, if a bot on your computer had sent out the e-mail, it would appear that it came from you. To identify whether a bot was used, you can use antivirus software. Antivirus software like those we discussed previously will search a system using up-to-date signature files. Scanning for Trojans on the machine may identify the existence of known bots that have infected the machine. Bots may be disseminated using Trojan horses, which are programs that provide a functional use (such as games), but when executed will also install the bot on a computer.
TEST DAY TIP Remember that botnets are a network of bots (robots) that can be used to take over a computer to send spam or do DoS attacks.
A logic bomb is a type of malware that can be compared to a time bomb. It is designed to execute and do damage after a certain condition is met. This can be the passing of a certain date or time, or other actions like a command being sent or a specific user account being deleted. Often attackers will leave a logic bomb behind when they’ve entered a system to try to destroy any evidence that system administrators might find.
Logic bombs may exist on systems for long periods of time, without anyone being aware of their existence until they are triggered. For example, a disgruntled employee might program a logic bomb to trigger on the date of his or her retirement, or have it go off if he or she doesn’t send a specific command each month to delay its execution. Widely disseminated logic bombs may be distributed with worms or viruses, with ones containing common elements being detected by antivirus software.
There have been a wide variety of different logic bombs that have appeared on people’s computers over the years. Well-known logic bombs include the Michelangelo virus, which was set to go off on March 6, the birthday of the famous Renaissance painter, and delete the data from hard disks; the DDoS attack Blaster attempted on http://windowsupdate.com, and Code Red’s attempted attack on the White House Web site. Although most logic bombs aren’t this well publicized, they can easily do similar or greater damage.
If someone is given the chance, there are many ways to threaten a network or computer. Having physical access to a computer or other device can enable an unauthorized or uneducated user to make changes to settings that can seriously impact its security and functionality. Conversely, a system administrator can configure hardware settings so that authentication is required, or disable features that could be used for malicious purposes.
Although making such changes to a computer is vital to ensuring a system is secure, it’s important to realize that there are more devices on a network than just computers. Technologies like USB have provided the means to plug a wide variety of devices into computers and have also led to advances in how data can be stored. Devices like cell phones have incorporated technology to provide similar functions to that of a computer, allowing them to communicate with other devices using Bluetooth or the Internet.
More and more, computers are moving away from devices that need to be installed inside the machine or screwed into a port. Peripherals are devices that are connected to a computer using cables or wireless technologies. When you think of peripherals, you probably might think of printers, monitors, and keyboards. However, this category can also include various storage devices like removable drives, USB flash drives, memory cards, and other devices and media. In the forthcoming sections, we’ll discuss the various types of hardware and peripherals that are commonly found on a network, and see how these devices and media can affect an organization or network’s overall security.
BIOS is an acronym for basic input/output system, and refers to a chip that resides on the motherboard of a computer. This chip contains instructions on how to start the computer and load the OS, and low-level instructions about how the system is to handle various hardware and peripherals. Information used by the BIOS is set and stored through the complementary metal oxide semiconductor (CMOS). The CMOS uses a battery on the motherboard to retain power, so that any settings used by the BIOS aren’t lost when the computer turns off. A user interface allows you to edit CMOS settings, so that you can configure the date, time, boot sequence, video settings, hard drive configuration, and security settings.
When a computer starts, the BIOS checks for the presence of certain types of hardware and whether it is working properly. For example, it will check for the presence of a video card, check the voltage of the power supply, and so on. If there is an issue, it will inform the user of the problem through a series of audible beeps. If not, it will check the amount of memory on your computer, identify, and configure hardware on the computer, and identify the boot drive. It is at this point that the boot sector of the boot drive is used to start the OS.
Because of the importance of the BIOS, you can see that making changes to it can seriously affect how the computer starts, or if it will start at all. The CMOS settings are the lowest level that you can provide instructions to the computer, or implement security settings like passwords. If someone were to modify settings or upgrade the BIOS incorrectly or maliciously, it could cause that computer to be unable to start. This would be a major issue in cases where the machine was a production server.
Passwords
A basic method of protecting a computer is by setting passwords that prevent unauthorized users from starting up the machine and/or changing the settings. The CMOS setup program allows you to configure the system, and can be accessed on many machines by pressing specific keys (such as the F10 or DEL key) when the computer is first turned on. When the setup software appears, there are generally options that allow you to set passwords. A power-on password can be set, requiring anyone who starts the computer to enter a password before the OS loads. This prohibits hackers from using password-cracking tools to gain entry through the OS. Another password may also be set to prevent unauthorized persons from accessing the setup software and making changes to the computer. Setting this password also prevents malicious users from configuring power-on and BIOS passwords, which would restrict valid users from starting the computer or making system changes.
A drawback to using power-on passwords is that the protection it offers can also be a danger in some situations. A person who’s authorized to use the computer and doesn’t have the password would be unable to start the system. One such situation could be a DoS attack, which would require restarting the server. If the person rebooting the server didn’t have the power-on password, the server would remain offline until the password could be found. Another example would be a user who has put a power-on password on a laptop, and delivered it to be repaired or upgraded. The hardware technician would be unable to properly complete the necessary tasks for upgrading or repairing without being able to start the machine and load the OS. Although power-on passwords can provide a great deal of security, it can also cause significant problems in organizations if the people who need the passwords don’t have them.
EXAM WARNING Once a person has physical access to a computer, the power-on password is the first line of defense in accessing any data on the machine. The power-on password is required before the OS loads, and is necessary to start up the computer.
Flashing the BIOS
Because the BIOS and CMOS incorporate software to control low-level settings and security, it follows that there are times when this software may need to be upgraded to a newer version. As with any software, the BIOS may have known bugs that can be fixed with updated software. Similarly, the CMOS may need updating to fix errors or changes, and allow you to modify settings related to new features or hardware. Since the software is stored in a chip on the motherboard, this requires using special software that erases information on the chip and replaces it with updated programming. This special program is called a flash utility, which is why upgrading the BIOS is called flashing.
Flashing the BIOS is generally done on rare occasions, because any mistakes could cause the computer to stop functioning. Some of the reasons why BIOS is upgraded is because there is a need to support newer hardware (such as larger hard disks or newer processors) or fix certain bugs. For example, the most widespread instance of people flashing the BIOS of computers was in 1999 to fix the Y2K bug. Because the date on computers was two digits, it was feared that when the year switched from 1999 to 2000, computers would register this date change as being 1900. Fortunately, because people and organizations upgraded the BIOS on computers and updated programming, there were few cases in which this caused problems.
There are two main reasons why flashing the BIOS would fail. If there were a power failure during the upgrade, the BIOS would be corrupt. While flashing, if the wrong version of BIOS is used, the BIOS wouldn’t function properly afterwards. In other words, if you flashed the BIOS with software that was meant for a different computer, it would be filled with bad information. Because the computer wouldn’t start again after either of these situations, you wouldn’t be able to fix the machine. While flashing the BIOS is a relatively easy process, it is the potential catastrophic damage that keeps many from upgrading to later versions.
Because you are overwriting all of the information used by the BIOS, flashing it will subsequently erase any passwords that have been set. This means that even if you’ve set a power-on password or a CMOS settings password, these will no longer exist after the BIOS has been flashed. If an authorized technician is flashing the BIOS, this means he or she will need to reset the passwords. If an unauthorized person does it, they now have access to the computer.
EXAM WARNING The CMOS settings are the lowest level that you can configure settings on a computer. Any changes to these settings will affect the BIOS and can impact how it starts the computer.
Booting the Computer
The CMOS settings allow you to control the boot order of disks and disable certain hardware on the computer. Using these settings, you can control the order in which the computer will try to find an OS to load. It determines if the computer will first check the floppy disk, USB ports, or CD/DVD ROM for an OS to boot from, or if it will boot from the hard disk. For example, let us say a computer was set to first check a floppy drive, then a compact disc read-only memory (CD-ROM) or DVD-ROM, USB ports, and finally the hard disk for the presence of an OS. If these devices are active, an unauthorized user with physical access to the machine could insert a floppy or CD/ DVD into the drive, or a USB flash drive into a USB port. When the computer started, it would bypass the OS on the hard disk, and start the machine from the media he or she inserted into the computer. Now that the person has access, they can view any data stored on the machine, modify or delete files, or do other malicious activities.
To prevent users from booting the machine from a disk or USB flash drive, administrators will often set the computer to first (or only) boot from a hard disk, and/or disable drives and USB ports. Unauthorized users are thereby prevented from using the drives or port to start the machine. If IT staff need to modify the boot order or use one of these devices, they would then temporarily change the CMOS settings.
USB is an acronym for Universal Serial Bus, and is a standard technology that is used to allow devices to connect through a port on a computer. USB devices can be plugged into the computer and recognized by the OS, without the need to shut down the computer. Using USB, a wide variety of peripherals, such as mice, keyboards, external hard disks, flash drives, scanners, printers, and so on, can be installed on a machine by simply plugging them in.
With improvements in technology, gigabytes of storage capacity are now available on flash drives, memory cards, MP3 players, external hard disks, or other USB devices. This obviously creates a security risk for organizations. In the past, an organization would be concerned that a series of files might be copied to a floppy disk or CD, and then removed from the office, but today a user could potentially copy an entire hard disk of information and carry it home in their pocket or briefcase. Because of this, there is a justified fear of data being lost or stolen with these devices.
Organizations deal with the potential loss of data from USB devices in a number of ways. Some companies have strict policies that discourage users from transferring data from their computers. It is also common in secure environments for USB ports on computers to be disabled through CMOS settings, so that even if a flash drive were inserted into a USB port, the computer wouldn’t recognize it. However, by preventing user access to technology, they are also limited from doing work at home or perhaps performing certain functions at work.
To ensure that data stored on USB devices is secure, it is wise to encrypt and/or password-protect the files stored on them. In doing so, if a USB flash drive or other device were lost or stolen, anyone with access to the device would need to decrypt the data or have a password to open any files on the device.
Another issue that should be considered with USB devices is possible infection from viruses, worms, and other malicious software. Because some USB devices can be used for storage, it follows suit that some of the files may be infected. To prevent the computer from being infected by a virus or other malware, the autoplay feature in Windows should be turned off. This is the feature that will start any programs on media inserted into drives or USB ports automatically. Turning off the autoplay feature can prevent an infected program from being executed as soon as Windows reads the disk or device. In addition to this, any USB storage devices should be scanned with up-to-date antivirus software before any files are opened.
TEST DAY TIP USB devices are common to computers, with USB flash drives replacing other media like floppy disks. Because they are a commonly used technology, you can expect to see questions that directly ask about USB or include them as part of a scenario.
Flash memory cards and sticks are popular for storing and transferring varying amounts of data. Memory cards have typically ranged from 8 to 512 MB, but new cards are capable of storing upwards of 8 GB of data. They are commonly used for storing photos in digital cameras (and transferring them to PCs) and for storing and transferring programs and data between handheld computers (pocket PCs and palm OS devices). Although called “memory,” unlike random access memory (RAM), flash media is nonvolatile storage; that means that the data is retained until it is deliberately erased or overwritten. PC Card (Personal Computer Memory Card International Association [PCMCIA]) flash memory cards are also available. Flash memory reader/writer come in many handheld and some laptop/notebook computers and external readers can be attached to PCs through USB or serial port. Flash memory cards include the following:
Secure digital (SD) memory card
CompactFlash (CF) memory card
Memory stick (MS) memory card
Multimedia memory card (MMC)
xD-Picture card (xD)
SmartMedia (SM) memory card
USB flash drives are small, portable storage devices that use a USB interface to connect to a computer. Like flash memory cards, they are removable and rewritable, and have become a common method of storing data. However, while flash memory cards require a reader to be installed, USB flash drives can be inserted into the USB ports found on most modern computers. The storage capacity of these drives range from 32 MB to 64 GB.
USB flash drives are constructed of a circuit board inside of a plastic or metal casing, with a USB male connector protruding from one end. The connector is then covered with a cap that slips over it, allowing the device to be carried in a pocket or on a key fob without worry of damage. When needed, the USB flash drive can then be inserted into the USB port on a computer, or into a USB hub that allows multiple devices to be connected to one machine.
USB flash drives often provide a switch that will set write-protection on the device. In doing so, any data on the device cannot be modified, allowing it to be easily analyzed. This is similar to the write protection that could be used on floppy disks, making it impossible to modify or delete any existing data, or add additional files to the device.
Although USB flash drives offer limited options in terms of their hardware, a number of flash drives will come with software that can be used to provide additional features. Encryption may be used, protecting any data on the device from being accessed without first entering a password. Compression may also be used, allowing more data to be stored on the device. There are also a number of programs that are specifically designed to run from a USB flash drive rather than a hard disk. For example, Internet browsers may be used that will store any history and temporary files on the flash drive. This makes it more difficult to identify the browsing habits of a person.
iPod is the brand name of portable media players that was developed by Apple Inc. in 2001. iPods were originally designed to play audio files, with capability to play media files added in 2005. Variations of the iPod were introduced by Apple with different capabilities. For example, the full-sized iPod stores data on an internal hard disk, whereas iPod nano and iPod shuffle both use flash memory, which we’ll discuss later in this chapter. Although iPod is a device created by Apple, the term has come to apply in popular culture to any portable media player.
iPods store music and video by transferring the files from a computer. Audio and video files can be purchased from iTunes, or can be acquired illegally by downloading them from the Internet using P2P software or other Internet sites and applications, or sharing them between devices.
iPods can be used to store and transfer photos, video files, calendars, and other data. As such, they can be used as storage devices to store files. Using the Enable Disk Use option in iTunes activates this function, and allows you to transfer files to the iPod. Because any media files are stored in a hidden folder on the iPod, you will need to enable your computer to view hidden files to browse any files stored on the iPod.
iPods use a file system that is based on the computer formatting the iPod. When you plug an iPod into a computer, it will use the file system corresponding to the type of machine it’s connecting to. If you were formatting it on Windows XP, it would use a FAT32 format, but if it were formatted on a machine running Macintosh OS X, then it would be formatted to use the HFS Plus file system. The exception to this is the iPod shuffle, which only uses FAT32.
Damage and Defense
IPod Virus and Windows
There are some sources of viruses that don’t immediately spring to mind. When you think of iPods, you probably associate them with Apple computers, and might never think they could infect a computer running Windows with a virus. However, iPods are designed to work with Windows, and many owners will connect them to Windows machines so they can transfer video and music files between the device and their computer. Unfortunately, in 2006, people bought more than they bargained for with the purchase of a new iPod.
In 2006, Apple estimates that about 1% of the video iPods shipped between September 12 and October 18 were infected with the RavMonE worm. This worm opens a backdoor on Windows computers, allowing remote access to the machine. As soon as the iPod was plugged into a Windows machine, the autoplay feature would start programs that were designed for Windows and activate the worm. If the autoplay feature was disabled and had up-to-date antivirus software, the antivirus program would detect and remove the worm before it could infect the computer.
Cell phones, also known as wireless or mobile phones, are handheld devices that allow people to communicate over a network. Although cell phones were originally only used for voice communication, many mobile phones provide additional services that are comparable to features previously only seen on computers. These include e-mail, Internet browsing, personal digital assistant (PDA) functionality, digital camera, short message service (SMS) for text messaging, games, and the ability to watch video or listen to music.
As new features are added to cell phones, the risks associated with owning one also increase. Because they’re smaller and more portable than laptops or other computers, they are more at risk of being stolen or lost. Someone with access to an insecure device could then access e-mail or other sensitive data on the phone and use the features of the device for their own purposes. Because of this, it’s important that cell phones used by an organization have as much security as possible set up on the device. People using these devices should never leave them unattended (that is, on a desk or left in a car), and they should be carried in a holster or case that can be closed, making it more difficult to be stolen. If the cell phone supports a power-on password or has a key lock, which prevents the phone from being used unless a personal identification number (PIN) is entered, these features should be activated on the phone.
Because data can be stored on memory cards used by cell phones, and phone calls can be intercepted, encryption should be used when possible. Encryption prevents any calls made with the phone from being heard and text messages, passwords, and other data from being viewed by outside parties who may intercept the cell phone’s transmissions.
Organizations should also decide whether they want to limit or prohibit the use of cameras on cell phones. Using a camera on a cell phone, a person could take pictures of sensitive data displayed on a screen, or other classified information that may be displayed in plain sight. Because of this, companies who issue cell phones to employees may want to disable any feature that allows pictures or video to be taken.
There was a time when cell phone viruses were nothing more than a hoax. After all, as we discussed earlier in this chapter, viruses needed to be attached to a file that when executed would infect the computer. Even as late as the early 2000s, it was virtually impossible to acquire a virus on your cell phone, because any software on the phone was installed at the factory or by a vendor. By the mid-2000s, however, many of the most basic cell phones had an OS with services to access Internet sites, download applications, games, and other files that could be installed on the phone, and could attach to a computer using a cable or wirelessly using Bluetooth technology. Whereas people used to be limited to using a computer to read e-mail or send instant messages, mobile phones became a common tool for text messages and e-mails. Because of these advances, viruses not only gained the capability to run on cell phones, but also could be easily disseminated to cell phone users.
The first virus targeting cell phones appeared in 2004. Cabir spread between cell phones that used the Symbian OS by transmitting itself using Bluetooth. Apart from displaying a message when the cell phone was turned on, the virus did little other than prove that cell phones could be infected. In 2005, the source code for Cabir was posted to the Internet, and other cell phone viruses have appeared. This includes the following:
Mabir This indicates a version of Cabir that could also spread through a multimedia messaging service (MMS).
Mosquito This indicates a Trojan horse that’s spread through a version of the downloadable game of the same name. This virus sends messages to premium numbers, which the cell phone user is charged for calling.
Brador This indicates the first backdoor Trojan infecting mobile phones using Windows CE and Windows Mobile. It has the capability to reset the phone, delete files, and send data to a third party.
A firewall is software and/or hardware that serve as a barrier between an internal network or computer and an external network, such as the Internet. Networks commonly incorporate firewalls into their security to prevent hackers or malicious software from accessing internal resources. Unfortunately, even in cases where cell phones are configured to get internal e-mail from a corporate mail server, they are always able to bypass network firewalls because they use technologies that are external to the network. For example, a user will enter a Web site address into their Web browser, and this request will go through the firewall before being passed to the Internet. In doing so, the firewall has rules set up that will allow or deny access. A cell phone user has no such restrictions, as he or she can browse the Internet using the services provided by the wireless phone company. In doing so, the cell phone can bypass the network firewall and any security set up on it.
Another issue with cell phones is that they can be used as modems. By connecting a cell phone to a computer, it can be used as a modem to connect to the Internet or a remote computer. Once connected, a person could then transfer files from the computer by e-mailing them as attachments or copying them to a remote computer or an Internet location.
Another method of transferring data is using Bluetooth technology. Bluetooth is a wireless protocol and service that allows Bluetooth-enabled devices to communicate and transfer data with one another. For example, you could use Bluetooth to copy a picture from your cell phone to a laptop computer, or vice versa. Unfortunately, Bluetooth is notoriously insecure. It has a discovery mode that allows devices to automatically detect and connect with other devices. Without authentication, a person could connect to a Bluetooth-enabled cellphone or other device and download data. Bluesnarfing is a term used for someone who leaves their laptop or another device in discovery mode, so that they can connect to any nearby Bluetooth device that’s unprotected.
Cell phones have become the common way of making voice calls, and are increasingly used for other services that were only available on computers. Because Blackberry devices and other mobile phones have become a necessity for some people and businesses to stay in contact, it is important that security policies and procedures remember to include cell phone technologies.
Removable storage, also referred to as removable media, is any device that can be attached to a system and used for storing data. Storage is referred to as removable because the disk itself is separate from the drive (the device that reads and writes to it). As we discussed previously, there are also devices that attach to a computer through a port, allowing data to be transferred between the machine and storage device. Because they can be attached and removed from the computer, using this kind of storage adds an element of risk that the media will be lost, damaged, or stolen. Removable storage includes devices like USB flash drives and memory cards (which we discussed earlier), but also include devices that provide the capability to store data on such media as:
CD
DVD
BluRay
Floppy disks
Magnetic tape
EXAM WARNING Removable media refers to media that can have a disk or other storage method removed from a drive or port. This isn’t the same as hard disks or other devices that can be removed from the computer. For example, removable disk racks and bays allow you to easily slide an Integrated Device Electronics (IDE) or small computer system interface (SCSI) hard disk drive (mounted in a carrier rack) in and out of a docking bay, which remains attached to the advanced technology attachment (ATA) or SCSI interface of a computer. Hard disk drives can also be inserted into external bays that are easily plugged into and removed from the USB port of a computer. The distinction is that in these cases you are removing the entire drive, not just the disk itself, whereas with true removable storage media, the drive stays attached to the computer and only the media—disk, tape, or card—is removed.
CDs and DVDs are rigid disks a little less than 5 in. in diameter, made of hard plastic with a thin layer of coating. CDs and DVDs are called optical media because CD and DVD drives use a laser beam, along with an optoelectronic sensor, to write data and read the data that is “burned” into the coating material (a compound that changes from reflective to nonreflective when heated by the laser). The data is encoded in the form of incredibly tiny pits or bumps on the surface of the disc. CDs and DVDs work similarly, but the latter can store more data because the pits and tracks are smaller, because DVDs use a more efficient error-correction method (that uses less space), and because DVDs can have two layers of storage on each side instead of just one.
CD
The term CD originates from “compact disc” under which audio disks were marketed. Philips and Sony still hold the trademark to this name. There are several different types of CDs that have developed over the years, with the first being CD audio or compact disc digital audio (CDDA).
CD audio were the first CDs that were used to record audio disks. Little has changed in the physics of CD since the origin of CD audio disks in 1980. This is due in part to the desire to maintain physical compatibility with an established base of installed units, and because the structure of CD media was both groundbreaking and nearly ideal for this function.
There are different variations of CDs available for data storage. These include the following:
CD-R This implies CD-Recordable. This type of CD is a write once-read many (WORM) media that allows you to record data to it once, so that you can later read the data. Once data is written to a CD-R, no additional data can be written to the CD.
CD-RW This implies CD-Rewritable. This type of CD allows you to erase and write to the disk multiple times.
CD-ROM
Until 1985, CDs were used only for audio, when Philips and Sony introduced the CD-ROM standard. CD-ROM is an acronym for compact disc read-only memory, and it refers to any data CD. However, the term has grown to refer to the CD-ROM drive used to read this optical storage media. For example, when you buy software, the disc used to install the program is called an installation CD. These discs are capable of holding up to 700 MB of data, and they remain a common method of storing data.
DVD
Originally, DVD was an acronym for digital video disc and then later digital versatile disc. Today, it is generally agreed that DVD is not an acronym for anything. However, while these discs were originally meant to store video, they have become a common method of storing data. In fact, in addition to being capable of copying (ripping) or creating (burning) data on a DVD, DVD-ROM drives are also backwards compatible and able to copy and create CDs.
DVDs are an evolutionary growth of CDs with slight changes. Because development of DVD follows the CD by 14 years, you can see that the CD was truly a revolutionary creation in its time. It is important to understand that both CDs and DVDs are electrooptical devices, as opposed to nearly all other computer peripherals which are electromagnetic. There are no magnetic fields in the reading or recording of these discs; therefore, they are immune to magnetic fields of any strength, unlike the hard drives.
Owing to its immunity to magnetic fields, CDs and DVD media are unaffected by electromagnetic pulse (EMP) effects, X-rays, and other sources of electromagnetic radiation. The primary consideration with recordable CD media (and to a lesser extent, manufactured media) is energy transfer. It takes a significant amount of energy to affect the media that the writing laser transfers to the disc. Rewritable discs (which we’ll discuss later) require even more energy to erase or rewrite data.
This is in direct contrast to floppy discs and hard drives, both of which can be affected by electromagnetic devices such as magnetic resonance imaging (MRI) machines, some airport X-ray scanners, and other devices that create a strong magnetic field. CDs and DVDs are also immune to EMP from nuclear detonations.
It is important to understand that CD and DVD media are read with light, and recordable discs are written with heat. Using an infrared (IR) laser, data is transferred to a CD or DVD onto a small, focused area that places all of the laser energy onto the target for transfer. It should be noted that all CD and DVD media are sensitive to heat (that is, above 120°F/49°C), and recordable media are sensitive to IR, ultraviolet (UV), and other potential intense light sources. Some rewritable media are affected by erasable programmable read-only memory (EPROM) erasers, which use an intense UV light source.
Both CD and DVD media are organized as a single line of data in a spiral pattern. This spiral is over 3.7 miles (or 6 km) in length on a CD, and 7.8 miles (or 12.5 km) for a DVD. The starting point for the spiral is toward the center of the disc with the spiral extending outward. This means that the disc is read and written from the inside out, which is the opposite of how hard drives organize data.
With this spiral organization, there are no cylinders or tracks like those on a hard drive. The term track refers to a grouping of data for optical media. The information along the spiral is spaced linearly, thus following a predictable timing. This means that the spiral contains more information at the outer edge of the disc than at the beginning. It also means that if this information is to be read at a constant speed, the rotation of the disc must change between different points along the spiral.
Types of DVDs
Just as there are several types of CDs that may be used for various purposes, there are a wide variety of DVDs available. As mentioned previously, the storage capacity of a DVD is immense when compared with that of a CD, and can range from 4.5 GB on a single-layer, single-sided DVD to 17 GB on a dual layer, double-sided DVD. The various types of DVDs on the market include the following:
DVD-R This stands for DVD minus recordable. A DVD-R disc will hold up to 4.5 GB of data, and is a WORM medium. In other words, once it is written to, the data on the DVD cannot be modified.
DVD+R This stands for DVD plus recordable. A DVD+R disc will also hold up to 4.5 GB of data, and is similar to the DVD-R. Choosing between DVD-R and DVD+R discs should be guided by the intended use of the disc. There is some evidence that DVD-R discs are more compatible with consumer DVD recorders than DVD+R discs; however, there are consumer players that will only read DVD+R discs. DVD-R discs are often the best choice for compatibility if the disc being produced contains data files. Early DVD-ROM drives can generally read DVD-R discs but are incapable of reading DVD+R discs. DVD writers that only write DVD+R/RW discs will read DVD-R discs.
DVD-RW This stands for “DVD minus read write.” This, like CD-RW discs, allows an average of 1000 writes in each location on the disc before failing. A DVD-RW disc will hold up to 4.5 GB of data and is recordable.
DVD+R DL (dual layer) This is an extension of the DVD standard to allow for dual-layer recording. Previously the only dual-layer discs were those manufactured that way. This allows up to 8.5 GB of data to be written to a disc. Most current DVD drives support reading and writing DVD+R DL discs.
DVD+RW This stands for “DVD plus read write.” This, like CD-RW discs, allows an average of 1000 writes in each location on the disc before failing. A DVD+RW disc will hold up to 4.5 GB of data and is recordable.
DVD-RAM This is a relatively obsolete media format, which emphasized rewritable discs that could be written to more than 10,000 times. There were considerable interoperability issues with these discs and they never really caught on.
Blu-Ray is a high-density optical storage method that was designed for recording high-definition video. The name of this technology comes from the blue-violet laser that is used to read and write to the discs. A single-layer Blu-Ray disc can store up to 25 GB of data, whereas a dual-layer Blu-Ray disc can store up to 50 GB of data.
Although many people are familiar with the stand-alone Blu-Ray players to play movies, there are also Blu-Ray drives that allow users to record and play data on computers. In 2007, Pioneer announced the release of a Blu-Ray drive that can record data to Blu-Ray discs, as well as DVDs and CDs. In addition to this, Sony has also released their own rewritable drive for computers.
In the early days of personal computing, floppy disks were large (first 8 in., then later 5.25 in. in diameter), thin, and flexible. Today’s “floppies,” often and more accurately called disks, are smaller (3.5 in.), rigid, and less fragile. The disk inside the disk housing is plastic, coated with magnetic material. The drive into which you insert the disk contains a motor to rotate the disk so that the drive heads, made of tiny electromagnets, can read and write to different locations on the disk. Standard disks today hold 1.44 MB of data; SuperDisk technology (developed by Imation Corporation) provides for storing either 120 or 240 MB on disks of the same size.
In the early days of computing, magnetic tapes were one of the few methods used to store data. Magnetic tapes consist of a thin plastic strip that has magnetic coating, on which data can be stored. Early systems throughout the 1950s to 1970s used 10.5 in. magnetic tape, whereas home computers in the early 1980s used audiocassette tapes for storing programs and data. Today, magnetic tape is still commonly used to back up data on network servers and individual computers.
Magnetic tape is a relatively inexpensive form of removable storage, especially for backing up data. It is less useful for data that needs to be accessed frequently because it is a sequential access media. You have to move back and forth through the tape to locate the particular data you want. In other words, to get from file 1 to file 20, you have to go through files 2 through 19. This is in contrast to direct access media like disks, in which the heads can be moved directly to the location of the data you want to access without progressing in sequence through all the other files.
Corporate networks commonly request users to store their data on shared, centralized storage. Users commonly access through a mapped drive on their computer, which allows them to save to a file server. The file server has one or more hard disks that users utilize to save or retrieve data. Because the data is centralized, network administrators can back up the data stored on the server easily. Users who don’t use this storage, and choose to back up the data on a local drive generally don’t have the benefit of data being backed up.
Although file servers have been a common component of networks, another storage system is becoming increasingly popular on networks. Network-attached storage (NAS) is a system that is connected to a network to provide centralized storage of data. Unlike a traditional file server, which can be used to run applications, databases, or provide other resources, NAS is only used for data storage. It is scaled down to only providing access to a file system in which data is stored, and management tools that are accessed remotely. It consists of a set of hard disks that can be configured as redundant array of independent disks (RAID) arrays, and supports authentication, encryption, permissions, and rights. To access the data, users connect using protocols like network file system (NFS) or server message blocks (SMB).
In this chapter, we discussed a number of technologies, tools, and risks associated with computer and network security. Code attacks are carefully crafted programs written by attackers and designed to do damage. Trojan horses, viruses, spyware, rootkits, and malware, are all examples of this kind of attack. These programs are written to be independent and do not always require user intervention or for the attacker to be present for their damage to be done. By configuring your computer and using antivirus/antispyware utilities, you can protect your systems from known versions of malicious software.
In addition to discussing how data can be threatened, we also discussed methods of storing and transferring data. Today, there are more data storage devices and methods for getting devices to communicate with one another than ever before. In addition to more traditional technologies like floppy disks, CDs, and DVDs, there are USB devices that can store more data than early hard disks on PCs. Other devices like iPods and cell phones can also be used to store and transmit data. Each of these technologies brings increased benefits to users, and new challenges to security professionals.
Malware is malicious software, carefully crafted programs written and designed by attackers to compromise security and/or do damage.
Computer security is the process of protecting systems and data from unauthorized access, malicious users and software, and other threats that could result in the loss of integrity, damage, or loss of data and equipment.
Privilege escalation occurs when a user acquires greater permissions and rights than he or she was intended to receive. This can occur as a result of bugs or backdoors in the software.
Bugs are errors in software, causing the program to function in a manner that wasn’t intended.
Backdoors are methods of accessing a system in a manner that bypasses normal authentication methods.
Viruses are programs that automatically spread, usually when an innocent victim executes the virus’ payload, and generally causes damage. Viruses have a long history in computing, and take many different forms. Today’s antivirus software is effective in catching most viruses before they can spread or cause damage.
Worms are basically network viruses, spread without user knowledge that wreaks havoc on computers and systems by consuming vast resources. Because they are self-replicating, a worm outbreak can reach hundreds of thousands of machines in a matter of days or hours.
Antivirus software is an application that is designed to detect viruses, worms, and other malware on a computer system. These programs may monitor the system for suspicious activity that indicates the presence of malware, or use signature files to detect and remove viruses from your system.
Signature files are files that contain information on known viruses, and are used by antivirus software to identify viruses on a system.
Trojan horses are different from viruses in that they require the user to run them. They usually come hidden, disguised as some kind of interesting program, or sometimes even as a patch for a virus or common computer problem. Installing back doors or deleting files are common behaviors for Trojan horses. Most antiviral software can catch and disable Trojan horses.
Rootkits are a collection of tools that are used to acquire elevated privileges on a computer, thereby allowing a hacker access to data or functions he or she wouldn’t normally have. Rootkits try to hide their presence from the OS by modifying the kernel, drivers, or common applications. They are hard to detect and eliminate, and are used to plant other malicious software like backdoors or viruses.
Spyware is currently one of the most prevalent, although in theory less harmful, code attacks. Most of them are more annoying than dangerous, but some can have criminal intentions, and most cause instability in affected systems.
Adware is software that displays advertising while the product is being used, and is used by software developers to finance the distribution of their product as freeware.
Bots (short for robots) are a type of program that run automatically, and can be used to receive commands from a remote computer used by a bot herder. A network of bots is known as a botnet, and can be used for simultaneous attacks on sites, or to send spam from multiple machines.
Logic bombs are a type of program that is designed to execute and do damage after a certain condition is met, such as after a certain amount of time has passed, a specific date occurs, or other events or actions that activate malicious code.
BIOS is a chip on the motherboard of a computer, and contains instructions on how to start the computer and load the OS, and low-level instructions about how the system is to handle various hardware and peripherals.
Information used by the BIOS is set and stored through the CMOS. The CMOS uses a battery on the motherboard to retain power, so that any settings used by the BIOS aren’t lost when the computer turns off.
A power-on password can be set in the CMOS settings, requiring anyone who starts the computer to enter a password before the OS loads. Another password may also be set to prevent unauthorized persons from accessing the setup software and making changes to the computer.
Flashing the BIOS is done to upgrade it to a newer version. It will overwrite all information, clearing any power-on passwords or CMOS settings.
USB is a standard technology that’s used to allow devices to connect through a port on a computer, so that devices can be installed on a computer without having to shut down the machine. There are numerous USB devices available, including storage devices like flash drives.
USB flash drives are storage devices that can store any type of data, including photos, video, documents, and various other types of data. They come in a range of storage sizes (upwards to 64 GB) and can be used with almost any system that supports the USB version of the device.
iPod is the brand name of portable media players that was developed by Apple, and can be used to store audio, video, and other files.
Flash memory cards and sticks are storage devices that are commonly used for storing photos in digital cameras (and transferring them to PCs) and for storing and transferring programs and data between handheld computers (pocket PCs and palm OS devices).
Cell phones, also known as wireless or mobile phones, are handheld devices that allow voice and data communication. Although older cell phones only provided voice communication, most modern phones provide features like e-mail, text messaging, gaming, Internet access, digital camera, and other tools and services that were only available previously with a computer.
CD is an acronym for compact disc. CD is a 5-in. optical disc that can contain up to 700 MB of data.
DVDs are 5-in. optical discs with the capacity to store 4.7 to 17 GB of data.
Blu-Ray is a high-density optical storage method that was designed for recording high-definition video. A single-layer Blu-Ray disc can store up to 25 GB of data, whereas a dual-layer Blu-Ray disc can store up to 50 GB of data.
Floppy disks have been a common method of storing data since the early days of personal computers. The 3.5-in. floppy disks are disks that are coated with a magnetic material and housed in plastic. They are capable of storing 1.44 MB of data.
Magnetic tapes consist of a thin plastic strip that has magnetic coating, on which data can be stored. Tapes are commonly used to back up data on network servers and individual computers.
NAS is a system that is connected to a network to provide centralized storage of data.
Q: If I don’t open file attachments from people I don’t know, will this prevent me from getting a virus?
A: It is always wise not to open file attachments from people you don’t know, but this won’t completely protect you from a virus. As we discussed in this chapter, a virus may send itself to everyone in an e-mail program’s address book, so it may appear that it’s coming from someone you know. It’s important not to open any documents you weren’t expecting, especially when they come from people you don’t know. If you do receive an e-mail attachment you weren’t expecting or that seems suspicious, don’t open it. If you know the sender, you can always contact that person to confirm if they have sent you a file attachment.
Q: My company has a firewall, do I need to worry about worms?
A: Yes. Many users these days have laptop computers that are connected to a number of different networks. Each new network is a new vector for worm attack. Many companies stand to face outages caused by worms brought in on employee laptops. Also, some worms/viruses/Trojans are unwittingly downloaded from seemingly harmless Web sites. Firewalls need to inspect all allowed traffic to filter out attacks through normally safe protocols.
Q: Should I avoid opening common file types used by viruses, and completely block them with the firewall?
A: In configuring firewalls and educating users on how to handle different file extensions, common sense must be exercised. For example, if your boss e-mailed an internal memo in the form of a Microsoft Word document, it would probably be wise not to ignore it. Similarly, a bookkeeper may need to send regular spreadsheets to an external payroll company, or else no one would get paid. Business doesn’t stop simply because of the possibility of viruses. While you should never open an executable file that you weren’t expecting, such as those ending in .com, .exe, .scr, and so on, it is important to identify what business processes rely on transmitting certain file types over the network or Internet.
1. You are analyzing the current security of your network and are concerned about the possibility that users will bypass authentication and gain greater permissions than they were given. What are the two major causes of privilege escalation? Choose all that apply.
A. Bugs in software
B. Spyware
C. Backdoors
D. BIOS
2. A user reports that his machine frequently crashes, and that he believes someone has accessed his e-mail account with his password. He has performed an antivirus scan on his computer and it is clean. What other likely culprit is behind the attack?
A. A worm
B. A Trojan horse
C. A Rootkit
D. A logic bomb
3. You open a Microsoft Word document and notice that other files you have open suddenly close. When you reopen these files, you find that the information in them has been modified. The same behavior doesn’t occur when other programs are used. What type of virus has probably infected your system?
A. Parasitic
B. Data file
C. Boot sector
D. A logic bomb
4. A programmer has recently been fired from the organization. On the programmer’s next birthday, your server suddenly locks up. Upon investigating, you find that there have been numerous Registry changes, and system files have been deleted by a service created by the dismissed programmer. What has affected your system?
A. Nothing. Programs often modify Registry settings.
B. Link
C. Boot sector
D. Logic bomb
5. You have installed a new program on your computer. The software doesn’t cost anything, but it does display intermittent advertisements for products in a corner of the screen. After installing, you notice that there is a sudden increase in received data across your Internet connection, although there is no real increase in data being sent. You’re not using your Web browser, e-mail software, or other Internet applications, so you’re concerned whether the new program is sending data over the Internet. Which of the following has most likely been installed?
A. Virus
B. Antivirus
C. Adware
D. Worm
6. What are good ways to protect against worms? (Select all that apply.)
A. User education programs
B. Correct firewall configuration
C. Timely software patches
D. Antivirus scans
7. You receive an e-mail warning you about a virus, stating that if a Windows XP computer contains the file mstsc.exe, you have been infected with the virus. As such, you should delete that file and a series of others. In searching the Internet, you find information that this is a normal Windows file. What type of virus is this?
A. Link
B. Companion
C. Data file
D. Hoax
8. A user has a laptop computer that normally isn’t connected to the network. She complains that her computer has slowed down considerably, and certain programs on the machine no longer open. She ran her antivirus program, but it found nothing. You establish a remote connection to the computer so that you can view what’s installed on the laptop, and see that she has antivirus software installed and running. When you map a drive letter to the laptop and run the antivirus software on your computer, you find several viruses have infected the laptop. Why are you able to find the viruses but not her?
A. The antivirus software on her laptop hasn’t been updated with the latest signature files.
B. It is a hoax virus.
C. You are getting a false positive. The virus must be on your machine and not the laptop, because you can’t scan mapped drives with antivirus software.
D. She didn’t have antivirus software installed or running on her machine.
9. You are configuring a firewall to block certain file types from being attached to incoming e-mail. When the e-mail reaches the firewall, you want these files to be removed from the e-mail, so that only the message reaches the user on your network. Which of the following file extensions are associated with executables that are commonly targeted by viruses and should be removed? Choose all that apply.
A. .doc
B. .com
C. .exe
D. .reg
10. Your company’s Web server suddenly gets tens of thousands of simultaneous requests for a Web page. After the Web server crashes, you restart the server and then take a look at the log files. You see that some of the requests came from your own network. What kind of attack has most likely happened?
A. Rootkit
B. Botnet
C. Virus
D. Worm
11. You have purchased a used computer in an auction. When you power-on the computer, you are asked for a password before the OS even loads. Since you don’t have it, how will you clear the password so that you can start the computer and begin using it?
A. Clear the password in the CMOS settings
B. Flash the BIOS
C. Press F10 or DEL on the keyboard
D. There is nothing you can do if you don’t have the power-on password.
12. You have heard that upgrading the BIOS on a computer can help to fix any bugs and provide new features. You download a new BIOS version and begin the upgrade. Everything seems to go well, and you recycle the power on the computer. It doesn’t start but produces a blank screen. What most likely is the cause of the computer not starting?
A. The wrong BIOS version was installed.
B. There was a power outage during the upgrade.
C. The CMOS editor needs to be reconfigured.
D. You should never flash the BIOS as it will cause the computer to fail.
13. Your company has started issuing USB flash drives to employees. Employees now use the devices to copy data from their home computers, insert them into computers used by other businesses, and so on. Members of the sales team and others who deal with outside organizations need this removable storage, so they can obtain copies of specifications, orders, and so forth. In copying files from computers outside of your network, you’re concerned about viruses. Which of the following should you do to ensure that users can benefit from the functionality of their flash drives, while protecting the network from any viruses?
A. Turn off autoplay on Windows computers used by your company
B. Disable USB ports on any computers attached to your network
C. Set write-protection on the flash drive so that viruses can’t be written to the device
D. Create a policy that prohibits users from copying data outside of the organization to flash drives
14. You are planning to implement removable storage devices in your organization. Before doing so, your boss wants you to provide information on various types of removable media that users can use to read, write, and rewrite data to. Which of the following storage devices will you discuss?
A. Hard disks
B. CD-R
C. DVD-R
D. Flash memory card
15. You need to migrate 40 GB of data from a hard disk to removable media. You want to ensure that all of the data is stored on a single disc or media. Which of the following will you use?
A. Blu-Ray
B. DVD
C. CD
D. Disk
1. A, and C
2. C
3. B
4. D
5. C
6. B, and C
7. D
8. A
9. B, and C
10. B
11. A
12. A
13. A
14. D
15. A
