CISSP考试指南笔记：8.13 恶意软件

Adhering to the usual rules of not opening an e-mail attachment or clicking on a link that comes from an unknown source is one of the best ways to combat malicious code.

Viruses

A virus is a small application, or string of code, that infects software. The main function of a virus is to reproduce and deliver its payload, and it requires a host application to do this.

A macrovirus is a virus written in one of these macro languages and is platform independent.

A stealth virus hides the modifications it has made to files or boot records.

A polymorphic virus produces varied but operational copies of itself.

A multipart virus (also called multipartite virus) has several components to it and can be distributed to different parts of the system.

tunneling virus, attempts to install itself “under” the antimalware program.

Worms

Worms are different from viruses in that they can reproduce on their own without a host application, and are self-contained programs.

Rootkit

The rootkit is just a set of tools that is placed on the compromised system for future use.

Spyware and Adware

Spyware is a type of malware that is covertly installed on a target computer to gather sensitive information about a victim.

Adware is software that automatically generates (renders) advertisements.

Botnets

Bots are a type of malware and are being installed on thousands of computers even now as you’re reading this sentence.

When a hacker has a collection of these compromised systems, it is referred to as a botnet.

Logic Bombs

A logic bomb executes a program, or string of code, when a certain set of conditions is met.

Trojan Horses

A Trojan horse (oftentimes simply called a Trojan) is a program that is disguised as another program.

Remote access Trojans (RATs) are malicious programs that run on systems and allow intruders to access and use a system remotely.

Antimalware Software

Signature-based detection (also called fingerprint detection) is a reasonably effective way to detect conventional malware, but there is a delayed response time to new threats.

Heuristic Detection analyzes the overall structure of the malicious code, evaluates the coded instructions and logic functions, and looks at the type of data within the virus or worm.

Reviewing information about a piece of code is called static analysis, while allowing a portion of the code to run in a virtual machine is called dynamic analysis.

Antimalware software that carries out behavior blocking actually allows the suspicious code to execute within the operating system unprotected and watches its interactions with the operating system, looking for suspicious activities.

Spam Detection

Detecting spam properly has become a science in itself. One technique used is called Bayesian filtering.

Antimalware Programs

A standard should cover the do’s and don’ts when it comes to malware, which are listed next:

• Every workstation, server, and mobile device should have antimalware software installed.
• An automated way of updating malware signatures should be deployed on each device.
• Users should not be able to disable antimalware software.
• A preplanned malware eradication process should be developed and a contact person designated in case of an infection.
• All external disks (USB drives and so on) should be scanned automatically.
• Backup files should be scanned.
• Antimalware policies and procedures should be reviewed annually.
• Antimalware software should provide boot malware protection.
• Antimalware scanning should happen at a gateway and on each device.
• Virus scans should be automated and scheduled. Do not rely on manual scans.
• Critical systems should be physically protected so malicious software cannot be installed locally.