Cryptography Reference
In-Depth Information
run it to check it out, then you are already infected. As with the other types of
infection discussed above, use a virus scanner, but do not
rely
on it. The fact
of the matter is that, even when up to date, it may miss something, especially
if the infection is very new.
If you do get infected, then the best eradication is a backup of the entire hard
disk, and reinstall the OS and all applications from their original disks. This
might become necessary since a typical Trojan horse attack is to destroy the
file
allocation table
(FAT) on your hard disk. A FAT is the table that maintains a
map of the clusters on the hard disk (see Footnote 10.22 on page 398). Without
a FAT or with a damaged FAT, your computer will not operate properly.
An interesting example of the use of a Trojan horse comes from the OpenSSH
source (see Footnote 9.8 on page 338). It turns out that in 2002, only the second
day after the latest version of OpenSSH was released and ready for download
on the Internet, the developers made the somewhat startling discovery that the
original package had been exchanged for one with a Trojan horse embedded
in it. The checksum (see page 320), was found to have been altered. When
installed, the Trojan horse attempted to communicate with another Internet
computer to await commands. Fortunately, they caught it early.
Now we look at malicious code that has similarities to a virus, but some
differing characteristics that make it a favorite for a network attack.
Worms
A
worm
is (malicious or nonmalicious) code that replicates itself and is self-
propagating. Thus, a worm is independent, and designed to thrive in network
environments without human intervention. Unlike a virus, it needs no host
program. Rather, the computers themselves provide the hosts. The programs
running on individual computer hosts are called
segments
of the complete worm.
The OS in a given system is not needed to manage the worms since they seek
out resources for themselves, finding remote machines and spawning a remote
process on that machine. Thus, a worm program is a program that spans
machine boundaries as part of a distributed computation. Some worms have
a main segment that coordinates the activities of the other segments. Such
a worm is sometimes called an
octopus
. Worms that are contained within a
single computer are sometimes given the name
host worms
, and those that have
many segments on more than one machine are deemed to be
network worms
.A
host worm uses the network connections for the sole purpose of copying itself
to other machines, whereas the network worm uses the network connections for
communication between each of its segments. Those host worms that delete
themselves after launching a copy on another host, guaranteeing there is only
one version of the worm running on the network at any given time, are sometimes
called
rabbits
. It is the network worm that is most common and which will be
our focus.
In the 1970s before the Internet was a fact, the first two worms were sent
through ARPANET (see page 326), the predecessor of the Internet, as programs
called
Creeper
and
Reaper
. First there was Creeper, which used idle processor
CPU time in ARPANET to replicate itself on one system and move onto the
Search WWH ::
Custom Search