A grouping of computer systems or resources (e.g., servers) that are connected in order to facilitate communications. Each individual unit on a network is referred to as a 'node'.
Types of Networks
Networks can be classified based on the type and abilities of the technology used to connect the nodes, the security level of the network and its reach. The various types of networks include:
Personal Area Network (PAN)
Typically used by an individual to connect disparate personal electronic devices (PDA, phone, laptop, etc) into a restricted network, usually with a very limited physical reach. The network is generally used to transfer data between a single user's devices, though it may also be used to transmit data to an authorized external individual. Most users are not usually concerned with the security of their PAN.
Local Area Network (LAN)
Commonly used by organizations and home users to connect a small group of computers or resources for a defined group of private users, e.g., company employees or family members. Security is generally an issue with LANs, as the data stored on resources on these networks can have personal or commercial value.
Typically used to cover a geographical area, Wi-Fi is a type of wireless network that provides users with access to a LAN or the Internet. The users are generally public, though some Wi-Fi networks are intended for private use. Depending on whether the Wi-Fi network is intended for public or private use, security may or may not be an issue.
In addition, specific services such as Instant Messaging (IM) or Internet Relay Chat (IRC) also link its users into a network, which carries its own advantages and inherent risks.
Networks and Malware
The most common type of security issue involving networks is worms - specifically, the misuse of networks by a worm to reach and infect other resources on the network. In the same way that viruses exploit a computer system's normal processes to find and infect new files, a worm takes advantage of a network's functionality for its own purposes.
Almost every type of network has its own specific type of worm, which is designed to spread on that particular network. For example, an Internet-Worm spreads over, and attacks users of the Internet, whereas an IRC-Worm spreads specifically on a network of users connected to an IRC channel.
Some worms are also able to spread on more than one type of network - for example, a worm that finds and infects new targets over the Internet may also be able to do so over a LAN, which makes it both an Internet- and a Net- worm.
A type of worm that propagates by copying itself to other computers connected the infected computer by a network, most commonly a Local Area Network (LAN). A Net-Worm is also commonly referred to as a Network-Worm.
A net-worm typically travels from one computer to another using shares, a medium (such as a hard drive) that can be accessed by everyone on the network, or by users with specific access rights.
To infect another machine, a net-worm typically looks for all available shared resources on a machine it has already infected. If it finds that the Windows directory of another computer is shared, it copy its files to the remote computer. In many cases corporate computers and servers have a few open shares, aiding a worm's ability to infect other users on a network.
To make these copies start on remote computers, a worm usually modify WIN.INI or SYSTEM.INI files. When a target computer is then restarted, it becomes infected. This approach, however, does not work on NT-based operating systems.
Some network worms can copy themselves globally using Internet. They use NetBios services on ports 137 and 139 to find vulnerable computers and to copy themselves there. Also, these worms can modify Windows INI files remotely. Only Windows 9x systems are affected by this type of worms.
A few network worms attempt to disable NT-based operating system security by patching specific Windows components. In this case they get full adminstration rights on an infected computer.
One network worm attempts to copy itself to shares that are protected with a password. The worm uses a vulnerability that allows it to bruteforce a password and bypass share security.
Disinfecting a Net-Worm Infection
Cleaning a network of a net-worm outbreak in many cases requires the administrators to take the entire network down and disinfect all infected computers one by one. As such, a net-worm infection on a major corporation's internal network - which may have thousands of users - can cause significant business, financial and resource disruptions.
A virus that independently searches for and infects new targets on a computer system, rather than installing itself into memory and infecting executable files launched by the user.
Non-memory resident Versus Memory-resident
For a virus writer, the choice of whether to make the virus memory-resident or not is related to the virus's need to produce copies in order to survive (see replication entry). Each option has its own advantages and disadvantages.
A virus that becomes memory-resident has a longer window of opportunity to infect new targets, as it is active as long as the system is still in use; the trade-off however is that the virus writer usually has less control over what files the virus infects.
A non-memory resident virus infect new files by using two separate routines:
- A finder routine - responsible for locating new targets
- And a replication routine - takes care of infecting the found targets
This approach usually allows a virus writer greater precision in what files the virus infects.
On the other hand, a non-memory resident virus is only able to propagate during the time its host program is active; it therefore has a limited time frame in which to locate and infect new targets. If an infected file is rarely or never executed, the virus may only replicate slowly, or not at all.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.