A type of network used for electronically creating, transmitting and storing text-based communications. The formal term for this network is "electronic mail" (e-mail).
Though the term "e-mail" technically refers to the system or network responsible for the communications, most people colloquially use the term to mean a message sent on the network.
An e-mail network involves an e-mail client (a program that is installed on a user's system); and e-mail servers, which handle the actual transmission of messages over the Internet, a well as storage of the messages. There are a variety of e-mail clients available, each offering different features and capabilities.
These networks can use a variety of protocols to handle the transfer of messages between client and server. The most common protocols in use are POP3, IMAP and SMTP:
This protocol is designed to delete e-mail messages from a server as soon as the client application downloads it (though some clients will allow the messages to be saved for a time). This type of protocol allows a client program to 'pull' a message form a mail server.Internet
Message Access Protocol (IMAP)
IMAP is similar to POP3, but has more functions for storing and organizing e-mail messages on the server itself. Simple Mail Transfer Protocol (SMTP)
The protocol most commonly used by e-mail servers to 'push' e-mails out to client applications.
Different e-mail networks may use different protocols; fortunately, networks using differing protocols are still able to transmit messages between each other.
A standalone program that distributes copies of itself through e-mail networks, usually in an infectious e-mail attachment. Often, these infected e-mails are sent to e-mail addresses that the worm harvests from files on an infected computer.
Email-Worms, also known as mass-mailer worms, are one of the most common types of worms today.
The Real-Life Effects of Email-Worms
Mass mailers became very widespread in the beginning of 21st century, and were a significant cause of network and business disruption.
The first few e-mail worm outbreaks were caused by worms that propagated rapidly, sending millions of copies over networks worldwide. These pandemics essentially clogged up the network resources of affected companies until the infected computers could be taken offline and cleaned. The resulting disruptions in communications affected millions of users and reportedly led to millions of dollars in losses for affected businesses.
In addition to their disruptive effect on network integrity, many modern e-mail worms incorporate a malicious payload, which multiplies the effects of a worm infection. The payload varies, but most commonly involve:
• Installing other malware onto the infected computer
• Forwarding personal, confidential details from the machine to a remote server
In computer security, emulation involves running suspect code in a tightly controlled virtual environment (also known as a sandbox) for the purpose of analysis and identification.
When analyzing suspicious code, emulation may be necessary in order to observe the specific changes made to the virtual system, and evaluate any harmful consequences from the modifications.
Emulation is particularly useful when dealing with encrypted or obfuscated code, which may deter other forms of analysis.
The use of a cipher or algorithm to transform data, such as a program's code, into an unintelligible form.
There are many different ways to perform encryption, based on the algorithm or cipher used. Some examples of encryption algorithms include ROT13 and the Vigenere cipher.
Encryption usually requires a specific piece of information (a 'key') in order to transform the encrypted information back to a usable state when necessary. The simplest form of encryption uses a static unchanging key; more sophisticated encryption may involve changes in the key itself as well as the code to be transformed.
Virus writers use encryption to create encrypted viruses, which are harder for antivirus programs to detect. Once installed, the encrypted virus uses the key to decrypt its own code and execute it.
A programming routine that uses cryptographic principles to 'scramble' the malware code at certain intervals (usually at each new instance of infection). Encryption engines may also be known as mutation engines.
Encryption engines may be used to protect sensitive or confidential files from unwanted intrusion. In a malicious context, they may be used by malware authors as a way of protecting their malicious code and also to prevent security programs from detecting their programs.
At one time, coding an encryption routine into a malware required a certain level of technical skill. Nowadays, encryption engines are freely available online, as standalone 'modules' that malware authors can simply attach to their own programs. The attached engine can then direct and perform the encryption on the malware.
The Evolution of Encryption Engines
Encryption typically involves 'transforming' a piece of code into an alternate, encrypted form. The code must subsequently be decrypted back to its original state in order to be executed.
The early, relatively simple encryption engines used a single decryption routine, or key to revert encrypted code to its original state. These early keys were static, or remained the same throughout all infections; virus scanners were therefore still able to detect malware encrypted by these engines by simply detecting the key.
More sophisticated engines later developed that scrambled both the malware code and the key at each new infection. This effectively prevented virus scanners from recognizing that two dissimilar-looking infections were actually two separate instances of the same virus.
This more sophisticated form of encryption - also known as polymorphism - made it significantly more difficult for virus scanners to detect encrypted malware, which in turn led to the development and widespread use of heuristic analysis.
A legally binding agreement between a program's user and the program vendor, stating the terms under which the user is authorized to use the program and usually limiting the vendor's liabilities.
Most programs display the End User License Agreement (EULA) in electronic form during the installation process and users must agree to the EULA before installation can be completed.
EULAs can be a controversial issue if they are worded in such a way as to be ambiguous, or if they attempt to give the vendor more rights than is legally permissible.
In addition, EULAs are often so long, technically challenging and intimidating that many users do not read them completely before accepting them, potentially placing the user in an untenable position if they later face problems with the program or the vendor.
Techniques used by virus writers to prevent virus scanners from detecting the entry point of malicious code.
An entry point is the instruction specifying the beginning of a program's code, which the system uses to locate the correct starting point each time the program is executed. In this case, the program in question is the malicious code inserted by a virus into a host file.
Entry Point Obscuration & Viruses
Entry Point Obscuration (EPO) techniques are typically used by sophisticated viruses to hide their presence and gain control of the operating system.
Before EPO techniques were used, viruses would simply insert their malicious code at the beginning or end of a host file, hence they are known as a prepending or appending file viruses. They would also make changes to the file's header, to allow the code to be automatically executed when the host file is launched.
These simple viruses became too easy for security programs to detect however, especially as the header changes were easily spotted and the malicious code insertion often prevented the host file from functioning properly.
Instead, more sophisticated file viruses developed that subtly modified the host program's entry point so that it pointed to the beginning of the viral code, which could be located almost anywhere in the file. The change in entry point forced the system to execute the viral code first whenever the user launched the host program; after the viral code is completely executed, most viruses will then pass control back to the host program, allowing it to launch normally.
Alternatively, they might even include the jump instruction in the middle of the host file's own code, so that the operating system partially executes the host file before being forced to jump to the viral code. Again, once the viral code is run, the virus may return control to the host file and allow it to complete execution.
A program that contains binary code, with instructions that an operating system is able to 'read' and execute.
For most laymen, an executable file is what they are launching when they start almost any application on a modern computer, such as a word processor or game. This is in contrast to data files, which obviously only contain unexecutable data.
In Microsoft Windows operating systems, such files are usually identified with the extension .EXE, which is why the file may be referred to as an EXE file.
An object - a program, a section of code, even a string of characters - that takes advantage of a vulnerability in a program or operating system to perform various actions.
An exploit is almost always used in a malicious context. If successfully used, exploits can provide an attacker with a wide range of possible actions, from viewing data on a restricted-user database to almost complete control of a compromised system.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.