Creation and distribution of computer viruses and malware. Computer viruses, their properties and classification.

A) boot viruses;

B) network viruses;

C) macro viruses

D) file-boot viruses.

24. Creation computer viruses is an:

A) the consequence of operating system failures;

B) entertainment for programmers;

IN) side effect when developing software;

D) a crime;

E) a necessary component of the training of programmers.

25. Illegal access to computers and information refers to:

A) to programming;

B) intellectual activity;

C) to computer piracy

D) to create a computer virus.

26. The main condition for protection against computer viruses is:

A) installation of the Windows operating system on the computer;

B) lack of Internet;

C) lack of a scanner;

D) installing an anti-virus program on the computer

27. The anti-virus program is:

A) Internet Explorer;

B) Microsoft Publisher;

D) Kaspersky AntiVirus.

28. Antivirus is a special program:

A) to create new programs;

B) editing the code of computer viruses;

C) to detect, destroy and protect against computer viruses;

D) for the creation and distribution of computer viruses.

29. The set of computers interconnected through data transmission channels providing the user with means of information exchange and collective use of network resources is called:

A) regional computer network;

B) a computer network;

C) corporate computer network;

D) a global computer network.

30. The main characteristic of information transmission channels is:

A) the material from which the cable is made;

B) the distance between computers;

B) bandwidth

D) the room in which the PCs are located.

31. A personal computer connected to a network on which the user performs his work is called:

A) a workstation;

B) an automated workstation (AWP);

C) network server;

D) a switching unit.

32. A personal computer connected to a network and providing certain information services to network users is called:

A) a workstation;

B) a network server;

B) switching node;

D) an automated workstation (AWP).

33. A network that exists within the same city, district or region and is part of the local and global computer networks are called:

A) the global network;

C) a local network.

34. A network covering a small area with a distance between individual computers up to 2 kilometers is called:

A) the global network;

B) regional or corporate network;

C) a local network.

35. The topology of a network that uses a central machine to which all other machines on the network are connected is called:

A) annular or "ring";

B) stellar or "star";

B) linear bus.

36. The network topology in which the last workstation is connected by communication channels with the first workstation is called:

A) annular or "ring";

B) stellar or "star";

B) linear bus.

37. A high-bandwidth communication channel is called:

A) fiber optic cable;

B) twisted pair;

B) coaxial cable.

38. The communication channel, the disadvantage of which is the complexity of protecting data from illegal access, is:

A) fiber optic cable;

B) infrared rays;

B) Microwave - range.

39. The communication channel in which the radio signal is used is called:

A) fiber optic cable;

B) infrared rays;

C) radio channel.

40. The unit of measurement of the communication channel throughput is:

A) bit / sec;

B) Kbps;

D) Mbps.


Appendix A

MINISTRY OF TRANSPORT OF THE RUSSIAN FEDERATION

FEDERAL RAILWAY AGENCY

BRANCH OF THE FEDERAL STATE BUDGET

EDUCATIONAL INSTITUTION OF HIGHER EDUCATION

SAMARA STATE

UNIVERSITY OF RAILWAY TRANSPORT

In the city of Saratov

Computer viruses

Computer virus is a small program, written by a highly qualified programmer, capable of self-propagation and performing various destructive actions. To date, over 50 thousand computer viruses are known.

There are many different versions regarding the date of birth of the first computer virus. However, most experts agree that computer viruses, as such, first appeared in 1986, although historically the emergence of viruses is closely related to the idea of \u200b\u200bcreating self-replicating programs. One of the "pioneers" among computer viruses is the "Brain" virus, created by a Pakistani programmer named Alvi. In the United States alone, this virus has infected over 18,000 computers.

Viruses act only programmatically. They usually attach to the file or penetrate the body of the file. In this case, the file is said to be infected with a virus. The virus gets into the computer only together with the infected file. To activate the virus, you need to download the infected file, and only after that, the virus begins to act on its own.

Some viruses, during the execution of an infected file, become resident (resident in the computer's RAM) and can infect other downloaded files and programs.

Another type of virus, immediately after activation, can cause serious damage, for example, formatting a hard disk. The effect of viruses can manifest itself in different ways: from different visual effects that interfere with work, to complete loss of information.

The main sources of viruses:

    a floppy disk containing virus-infected files;

    computer network, including e-mail and Internet;

    a hard drive that got a virus as a result of working with infected programs;

    a virus left in RAM after the previous user.

The main early signs of a computer virus infection:

    reducing the amount of free RAM;

    slowing down the loading and operation of the computer;

    incomprehensible (for no reason) changes in files, as well as changes in the size and date of the last modification of files;

    errors when loading the operating system;

    inability to save files in the required directories;

    incomprehensible system messages, musical and visual effects, etc.

Signs of the active phase of the virus:

    disappearance of files;

    formatting the hard drive;

    inability to load files or operating system.

There are many different viruses. They can be conditionally classified as follows:

1) boot viruses or BOOT viruses infect boot sectors of disks. Very dangerous, can lead to the complete loss of all information stored on the disk;

2) file viruses infect files. Are divided into:

    viruses that infect programs (files with the .EXE and .COM extensions);

    macro viruses viruses that infect data files such as Word documents or Excel workbooks;

    satellite viruses use the names of other files;

    dIR viruses distort system information about file structures;

3) boot-file viruses capable of infecting both boot sector code and file code;

4) invisible viruses or STEALTH viruses falsify information read from the disk so that the program, which intended this information, receives incorrect data. This technology, which is sometimes called Stealth technology, can be used in both BOOT viruses and file viruses;

5) retroviruses infect antivirus softwaretrying to destroy them or disable them;

6) worm viruses provide small e-mail messages with a so-called header, which is essentially the Web address of the location of the virus itself. When trying to read such a message, the virus begins to read its "body" through the global Internet network and, after downloading, begins a destructive action. They are very dangerous, as it is very difficult to detect them, due to the fact that the infected file does not actually contain the virus code.

If you do not take measures to protect against computer viruses, the consequences of infection can be very serious. In a number of countries, criminal legislation provides for liability for computer crimes, including the introduction of viruses. General and software tools are used to protect information from viruses.

Common remedies that help prevent infection with the virus and its devastating effects include:

    information backup (making copies of files and system areas of hard drives);

    refusal to use random and unknown programs. Most often, viruses spread along with computer programs;

    restricting access to information, in particular, physical protection of a floppy disk while copying files from it.

Various antivirus programs (antiviruses) are referred to as protection software.

Antivirus is a program that detects and neutralizes computer viruses. It should be noted that viruses are ahead of anti-virus programs in their development, therefore, even in the case of regular use of anti-viruses, there is no 100% security guarantee. Antivirus programs can detect and destroy only known viruses; when a new computer virus appears, protection against it does not exist until its own antivirus is developed. However, many modern anti-virus packages include a special software module called heuristic analyzer, which is able to examine the contents of files for the presence of code characteristic of computer viruses. This makes it possible to timely identify and warn of the danger of infection with a new virus.

The following types of antivirus programs are distinguished:

1) detector programs: designed to find infected files by one of the known viruses. Some detector programs can also cure files for viruses or destroy infected files. There are specialized, that is, detectors designed to deal with one virus and polyphagesthat can fight many viruses;

2) healer programs: designed to cure infected drives and programs. Treatment of the program consists in removing the virus body from the infected program. They can also be both polyphages and specialized;

3) auditor programs: designed to detect virus infection of files, as well as find damaged files. These programs remember data about the state of the program and system areas of disks in the normal state (before infection) and compare these data while the computer is running. In case of data inconsistency, a message about the possibility of infection is displayed;

4) healers-auditors: designed to detect changes in files and system areas of disks and, in case of changes, return them to their original state.

5) filter programs: designed to intercept calls to the operating system, which are used by viruses for propagation and inform the user about it. The user can enable or disable the corresponding operation. Such programs are resident, that is, they are located in the computer's RAM.

6) vaccine programs: are used to process files and boot sectors in order to prevent infection by known viruses (this method has been used more and more recently).

It should be noted that choosing one "best" antivirus is an extremely erroneous decision. It is recommended to use several different anti-virus packages at the same time. When choosing an anti-virus program, you should pay attention to such a parameter as the number of recognizing signatures (a sequence of characters that are guaranteed to recognize a virus). The second parameter is the presence of a heuristic analyzer for unknown viruses, its presence is very useful, but it significantly slows down the program's operation time.

test questions

    What is a computer virus?

    How does a virus infect a computer?

    How do computer viruses work?

    What sources of computer virus infection do you know?

    By what signs can you detect the fact of a computer virus infection?

    What types of viruses do you know? What destructive actions do they carry out?

    What actions are taken to prevent infection with a computer virus?

    What is antivirus? What types of antivirus do you know?

    What is a heuristic analyzer? What functions does it perform?

General information.PC users are most often faced with one of the types of computer crime - computer viruses. The latter are a special type of malware that causes a lot of troubles for users and PC maintenance personnel 1.

Computer virusis called a program capable of self-reproduction and reproduction, which is implemented in other programs.

The analogy between the concepts of computer and biological viruses is obvious. However, not every program that can replicate itself is a computer virus. Viruses always wreak havoc -interfere with the normal operation of the PC, destroy the file structure, etc., therefore, they are classified as so-called malicious programs.

Historically, the emergence of computer viruses is associated with the idea of \u200b\u200bcreating self-replicating mechanisms, in particular programs, which arose in the 50s. J. von Neumann back in 1951 proposed a method for creating such mechanisms, and his considerations were further developed in the works of other researchers. The first to appear were game programs using elements of the future virus technology, and then, on the basis of the accumulated scientific and practical results, some people began to develop self-replicating programs with the aim of harming computer users.

Virus creators have focused their efforts on the PC area due to their massiveness and the almost complete lack of effective protection tools both at the hardware and OS levels. Some of the motivations driving virus authors include:

The desire to "annoy" someone;

1 N.N. Bezrukov


An unnatural need to commit crimes;

Desire to assert itself, mischief and at the same time misunderstanding of all the consequences of the spread of the virus;

Inability to use your knowledge in a constructive way (this is mostly an economic problem);

Confidence in complete impunity (in a number of countries there are no norms of legal responsibility for the creation and spread of viruses).

The main channels for viruses to penetrate into a personal computer are removable media drives and network communications, in particular the Internet.

The first cases of mass infection of PC with viruses were noted in 1987, when the so-called Pakistani virus appeared, created by the brothers Amjat and Bazit Alvi. Thus, they decided to punish the Americans who bought cheap illegal copies of software in Pakistan, which the brothers began to infect with the developed virus. The virus infected more than 18,000 computers in the United States and traveled around the world to the USSR. The next widely known virus was the Lehigh virus (Lehigh virus), which spread at the university of the same name in the United States. Within a few weeks, he destroyed the contents of several hundred floppy disks from the library of the university's computer center and students' personal diskettes. By February 1989, about 4,000 PCs had been infected with this virus in the United States.

Subsequently, the number of viruses and the number of computers infected by them began to grow like an avalanche, which required the adoption of urgent measures of both technical and organizational and legal nature. Various anti-virus tools have appeared, as a result of which the situation has begun to resemble the arms race and the means of protection against them. A certain effect was achieved as a result of the adoption by a number of developed countries of legislative acts on computer crimes, among which there were articles concerning the creation and distribution of computer viruses.

Currently, there are more than 20 thousand viruses in the world, including strains, i.e. varieties of viruses of the same type. Viruses do not recognize borders, so most of them run across Russia. Moreover, there has been a tendency towards an increase in the number of viruses developed by domestic programmers. If the situation does not change, then in the future Russia will be able to claim the role of a leader in the field of creating viruses.

Classification of viruses.The life cycle of computer viruses usually includes next phases:

The latency period during which no action is taken by the virus;

The incubation period, within which the virus only multiplies;


An active period during which, along with reproduction, unauthorized actions inherent in the virus algorithm are performed.

The first two phases serve to hide the source of the virus, the channel of its penetration and infect as many files as possible before the virus is detected. The duration of these phases can be determined by the time interval provided in the algorithm, the occurrence of an event in the system, the presence of a certain configuration of PC hardware (in particular, the presence of a hard disk drive), etc.

Computer viruses are classified according to the following characteristics:

Habitat;

By the way the environment is contaminated;

By way of activation;

The way of manifestation (destructive actions or caused effects);

By way of disguise.

Viruses can only be introduced into programs, which, in turn, can be contained either in files or in some components of the system area of \u200b\u200bthe disk involved in the boot process of the operating system. According to habitatdistinguish between:

fileviruses that infect executable files;

bootviruses that infect components of the system area used when loading the OS;

file-bootviruses that integrate the features of the first two groups.

File viruses can infect:

Position-independent relocatable machine programs located in COM files;

Position-dependent relocatable machine programs placed in EXE files;

Device drivers (SYS and BIN files);

Files with DOS components;

Object modules (OBJ files);

Files with programs in programming languages \u200b\u200b(based on the compilation of these programs);

Command files (BAT files);

Object and symbolic libraries (LIB and other files);

Overlay files (OVL-, PIF- and other files). The most common file viruses are capable of injecting into COM

and / or EXE files.

Boot viruses can infect:

Boot sector on floppy disks;


The boot sector of the system logical disk created on the hard drive;

Off-system bootloader on hard drive. Boot viruses spread on floppy disks counting on

that an attempt will be made to boot from them, which does not happen so often. File viruses have a higher infectivity.

File-boot viruses are even more infectious, as they can spread both in program files and on data diskettes.

Infection methodshabitats depend on the type of the latter. A virus-infected environment is called a virus carrier. When implanted, the body of a file virus can be located:

At the end of the file;

At the beginning of the file;

In the middle of the file;

In the tail (free) part of the last cluster occupied by the file.

The most easily implemented is the introduction of a virus into the end of a COM file. Upon gaining control, the virus selects a victim file and modifies it as follows:

1. Append its own copy (virus body) to the file.

2. Retains the original beginning of the file in this copy.

3. Replaces the original beginning of the file with a command to transfer control to the virus body.

When a program infected by the described method is started, execution of the virus body is initially initiated, as a result of which:

The original beginning of the program is restored (but not in a file, but in memory!);

Perhaps another victim is being sought and infected;

Possibly, actions unauthorized by the user are being carried out;

Control is transferred to the beginning of the virus carrier, as a result of which it is executed in the usual way.

Virus implantation at the beginning of the COM file is done differently: a new file is created, which is a union of the virus body and the contents of the original file. The two described ways of introducing a virus lead to an increase in the length of the original file.

Virus implantation in the middle of a file is the most complex and specialized. The difficulty lies in the fact that in this case the virus must "know" the structure of the victim file (for example, command.com) in order to be able to penetrate, in particular, into the stack area. The described method of implantation does not increase the file length.


The manifestation (destructive actions) of viruses can be:

Impact on PC performance;

Distortion of program files;

Distortion of data files;

Formatting a disk or part of it;

Replacing information on a disk or part of it;

Distortion of the system or non-system disk loader;

Destruction of file connectivity by corrupting the FAT table;

Distortion of data in CMOS memory.

Most of the viruses of the first group that cause visual or sound effects are informally called "illusionists". Other viruses of the same group can slow down the PC or interfere with the normal operation of the user by modifying and blocking the functions of the programs being executed, as well as the operating system. Viruses of all other groups are often called "vandals" because of the irreparable damage they cause, as a rule.

According to ways of disguisedistinguish between:

Non-masking viruses;

Self-encrypting viruses;

Stealth viruses.

The authors of the first viruses paid special attention to the mechanisms of reproduction (replication) with the introduction of bodies into other programs. Anti-virus tools were not masked. Such viruses are called non-masking viruses.

With the advent of antivirus tools, virus developers have focused their efforts on masking their products. First, the idea of \u200b\u200ba self-encrypting virus was implemented. At the same time, only a small part of it is available for meaningful reading, and the rest is decrypted immediately before the virus starts working. This approach makes it difficult to both detect the virus and analyze its body by specialists.

Stealth viruses have also emerged, named after a large-scale project to create stealth aircraft. The masking methods used by stealth viruses are complex and can be roughly divided into two categories: masking the presence of a virus in a virus carrier program; masking the presence of a memory resident virus in RAM.

Virus body automodification;

Implementation of the effect of removing a virus body from a virus carrier when reading the latter from a disk, in particular, by a debugger (this is done by interrupting an interrupt, of course, if there is a resident virus in RAM);

Implanting the virus body into a file without increasing its size;

The effect of the invariability of the length of the infected file (carried out similarly to item 2);


Keeping the original beginning of the program files unchanged.

For example, when reading a directory using DOS tools, a memory resident virus can intercept the corresponding interrupt and artificially reduce the file length. Of course, the actual file length does not change, but the user is presented with information masking its increase. Working with directories directly (bypassing DOS tools), you can get true information about the characteristics of a file. Such capabilities are provided, in particular, by the shell Norton Commander.

Inserting a virus into a special zone of resident DOS modules, into the tail of clusters, into CMOS memory, video memory, etc .;

Modification of the non-system bootloader list, as already mentioned;

Manipulating interrupt handlers, in particular, special methods of replacing them, in order to bypass resident antivirus tools;

Adjustment of the total amount of RAM.

During daily work, the user is able to detect the virus by its symptoms.Naturally, the symptoms of a virus are directly determined by the manifestation modes implemented in it, as well as other characteristics of the virus. The following are distinguished as symptoms of viruses:

Increase in the number of files on disk;

Reducing the amount of free RAM;

Change of time and date of file creation;

Increasing the size of the program file;

The appearance of registered defective clusters on the disk;

Abnormal operation of the program;

Slowdown of the program;

Lights up the drive light at a time when there should be no disk access;

A noticeable increase in the access time to the hard disk;

Malfunctions of the operating system, in particular, its freezing;

Inability to load the operating system;

Destruction of the file structure (disappearance of files, distortion of directories).

Along with computer viruses, there are other dangerous programs, for example, the so-called "worms", formally called replicators.Their main feature is the ability to reproduce without being introduced into other programs. Replicators are created with the aim of spreading over the nodes of a computer network and can be stuffed, in particular, from viruses. In this respect, an analogy can be drawn between the "worm" and the ball bomb.


An example of a replicator is the Christmas Tree program, which draws a Christmas tree on a display screen and then sends copies of itself to all registered email addresses.

Classification of antivirus tools. INa large number of anti-virus tools are available now. However, they all do not have the property of universality: each is designed for specific viruses or blocks some channels of PC infection or virus spreading. In this regard, the application of artificial intelligence methods to the problem of creating anti-virus tools can be considered a promising area of \u200b\u200bresearch.

Antivirus toolrefers to a software product that performs one or more of the following functions:

Protecting the file structure from destruction;

Virus detection;

Virus neutralization.

Filter virus (watchman)is a resident program that monitors the execution of actions typical of viruses and requires the user to confirm that actions are taken. Control is carried out by replacing the appropriate interrupt handlers. Controlled actions can be:

Updating program files;

Direct recording to disk (by physical address);

Disk formatting;

Resident placement of the program in RAM. Detectorcalled the program that searches

viruses both on external storage media and in RAM. The result of the detector's operation is a list of infected files and / or areas, possibly indicating the specific viruses that infected them.

Detectors are divided into universal (inspectors) and specialized. Universaldetectors check the integrity of files by calculating a checksum and comparing it with a standard. The standard is either indicated in the documentation for the software product, or can be determined at the very beginning of its operation.

Specializeddetectors are configured for specific viruses, one or more. If the detector is capable of detecting several various virusesthen it is called a polydetector.The operation of a specialized detector is based on searching for a line of code belonging to a particular virus, possibly specified by a regular expression. Such a detector is not capable of detecting all possible viruses.

Disinfector (doctor, phage)is a program that removes a virus with or without recovery


restoration of the habitat. A number of viruses distort the habitat in such a way that its original state cannot be restored.

The most famous polydetector-phages are the Antiviral Toolkit Pro software packages by Eugene Kaspersky and DrWeb by Dialog.

Immunizer (vaccine)refers to a program that prevents a particular virus from infecting a habitat or memory. Immunizers solve the problem of neutralizing the virus not by destroying it, but by blocking its ability to reproduce. Such programs are currently practically not used.

Methods of protection against computer viruses.When protecting against computer viruses, the complexity of the measures taken, both organizational and technical, is more important than ever. At the forefront of the "defense" it is advisable to place means of protecting data from destruction, behind them - means of detecting viruses and, finally, means of neutralizing viruses.

Means of protecting data from possible loss and destruction should be used always and regularly.In addition to this, the following organizational recommendations should be adhered to in order to get rid of virus infection:

Always use floppy disks with a sealed write-protect slot whenever possible;

Do not use unknown floppy disks unless absolutely necessary;

Do not transfer your floppy disks to others;

Do not run programs whose purpose is not clear; use only licensed software products;

Restrict access to the PC by unauthorized persons.

If you need to use a software product obtained from an unknown source, it is recommended:

Test the software product with specialized detectors for the presence of known viruses. It is undesirable to place detectors on the hard disk - for this you need to use a write-protected diskette;

Back up the files of the new software product;

Back up your files that are required for the new software to work;

Organize trial operation of a new software product against the background of a virus filter with deliberate responses to its messages.

Protection against computer viruses should become part of a set of measures to protect information both in individual computers and in automated information systems as a whole.


LIST OF REFERENCES

1. Andreev V.B.Legal informatics: Textbook. manual. - M: IMP, 1998.

2. Baranov A.K., Karpychev V.Yu., Minaev V.A.Computer Expert Technologies in Internal Affairs Agencies: Textbook. - M .: Academy of the Ministry of Internal Affairs of the Russian Federation, 1992.

3. Baturin Yu.M.Law and politics in the computer circle. - M .: Nauka, 1987.

4. Baturin Yu.M.Computer law problems. - M .: Jurid. lit., 1991.

5. Baturin Yu.M., Zhodzishsky A.M.Computer crimes and computer security. - M .: Jurid. lit., 1991.

6. Bauer F.L., Gooz G.Computer science. Introductory course: 2 hours - Moscow: Mir, 1990 .-- Part 1.

7. N.N. BezrukovComputer viruses. - M .: Nauka, 1991.

8. Borovkov V.P.A popular introduction to Statistica. - M .: Computer press, 1998.

9. Vekhov B.V.Computer crimes: methods of committing, investigation methods. - M .: Law and Law, 1996.

10. Voskresensky G.M., Dudarev G.I., Maslennikov E.P.Statistical methods of processing and analysis of social information in the management activities of the internal affairs bodies. - M .: Academy of the Ministry of Internal Affairs of the USSR, 1986.

11. Gudkov P.B.Computer crimes in the field of economics. - M .: MI Ministry of Internal Affairs of Russia, 1995.

12. Gulbin Yu.Crimes in the field of computer information // Russian Justice. - 1997. - No. 10. - S. 24-25.

13. Demidov V.N.Criminological characteristics of crime in Russia and Tatarstan: Textbook. - M .: VNII MIA of Russia, 1998.

14. Dyakonov V.P.Handbook of calculations on microcalculators. - 3rd ed. - M .: Nauka, 1989.

15. Dyakonov V.P.Reference book on algorithms and programs in the BASIC language for personal computers. - M .: Nauka, 1989.

16. Zhenilo V.R.Informatics and computer technology in the activities of the internal affairs bodies. Part 3. Software for computer technology: Textbook. manual. / Ed. V.A. Minaev. - M .: GUK MVD RF, 1996.

17. Zhenilo V.R., Minaev V.A.Computer technologies in forensic phonoscopic research and examinations: Textbook. - M .: Academy of the Ministry of Internal Affairs of the Russian Federation, 1994.

18. Ivakhnenko A.G., Yurachkovsksh Yu.P.Simulation of complex systems based on experimental data. - M .: Radio and communication, 1987.


19. Informatics. Basic course: Textbook. for universities / Ed. S. V. Simonovich. - SPb .: Peter, 1999.

20. Computer science and mathematics for lawyers. Short course in tables and diagrams: Textbook. manual. / Ed. V.A.Minaeva. - M .: MUI of the Ministry of Internal Affairs of Russia; Prior, 1998.

21. Informatics and computer technology in the activities of internal affairs bodies. Part 2. Computer hardware: Textbook. manual. / Ed. V.A.Minaeva. - M .: GUK Ministry of Internal Affairs of the Russian Federation, 1995.

22. Informatics and computer technology in the activities of internal affairs bodies. Part 4. Automation of solving practical problems in the internal affairs bodies: Textbook. manual. / Ed. V.A.Minaeva. - M .: GUK MVD RF, 1996.

23. Informatics and computer technology in the activities of internal affairs bodies. Part 5. Analytical activity and computer technology: Textbook. manual. / Ed. V.A. Minaev. - M .: GUK MVD RF, 1996.

24. Informatics and computer technology in the activities of the internal affairs bodies. Part 6. Computer networks in the internal affairs bodies: Textbook. manual. / Ed. V.A. Minaev. - M .: GUK MVD RF, 1997.

25. Information technologies of management in the internal affairs bodies / Ed. V.A. Minaev. - M .: Academy of Management of the Ministry of Internal Affairs of the Russian Federation, 1997.

26. Isakov S.A.Information and technical support of internal affairs bodies: Textbook. manual. - M .: Law Institute of the Ministry of Internal Affairs of the Russian Federation, 1994.

27. Kazantsev S.Ya., Mazurenko P.I.The use of computers in the activities of law enforcement agencies. - Kazan: Kazan branch of the Law Institute of the Ministry of Internal Affairs of the Russian Federation, 1997.

29. Kidmeier M.Multimedia. - SPb .: "BHV-Saint Petersburg", 1994.

30. Commentary on the Criminal Code Russian Federation / Ed. A.V. Naumova. - M .: Jurist, 1996.

31. Computer technologies of information processing: Textbook. manual. / Ed. S.V. Nazarova. - M .: Finance and Statistics, 1995.

32. Computer technologies in legal activity. Textbook. and practical. manual / Under. ed. N. Polevoy, V. Krylov. - M .: Publishing house BEK, 1994.

33. The concept of development of a system of information support for internal affairs bodies in the fight against crime. Approved by order of the Ministry of Internal Affairs of the Russian Federation No. 229 dated 05/12/93.

34. Korshunov Yu.M.Mathematical foundations of cybernetics. - M .: Energoatomizdat, 1987.

35. Forensic science and computer crime: Materials of a scientific and practical seminar // Sat. articles. - M .: EKTs Ministry of Internal Affairs of Russia, 1993.


36. V.V. KrylovInvestigation of crimes in the field of information. M .: Gorodets. 1998.

37. Levin A.A self-instruction manual for working on a computer. - 5th ed. - M .: Knowledge, 1999.

38. Local area networks: Handbook: In 3 kn. Book. 1. Principles of construction, architecture, communication tools / Ed. S.V. Nazarova. - M .: Finance and Statistics, 1994.

39. Lyapunov Yu., Maksimov V.Responsibility for computer crimes // Legality. - 1997. - No. 1. - S. 8-15.

40. McKlang Kr.J., Gerrieri J.A., McKlang K.A.Microcomputers for lawyers / Per. from English A.P. Polezhaeva. - M .: Legal literature, 1988.

41. A.A. MarkaryanIntegration of the achievements of natural and technical sciences into forensic science. - Izhevsk: UdSU, 1996.

42. V. V. MelnikovInformation protection in computer systems. - M .: Finance and Statistics, 1997.

43. Methodology and methods of forecasting in the field of combating crime: Proceedings of the Academy of the Ministry of Internal Affairs of the USSR. - M .: Academy of the Ministry of Internal Affairs of the USSR, 1989.

44. Minaev V.A.Human resources of internal affairs bodies: modern approaches to management. - M .: Academy of the Ministry of Internal Affairs of the USSR, 1991.

45. Minin A.Ya.Fundamentals of Management and Informatics: A course of lectures. - Yekaterinburg: Yekaterinburg Higher School of the Ministry of Internal Affairs of Russia, 1993.

46. Minin A.Ya.Informatization of criminological research: theory and methodology. - Yekaterinburg: Ural Publishing House. University, 1992.

47. Science and technology in the service of the investigation // Information bulletin of the investigation department of the Ministry of Internal Affairs of the Republic of Tatarstan. - Issue. 5. - Kazan, 1996.

48. About information, informatization and information protection. Federal Law of February 22, 1995 // Rossiyskaya Gazeta. - 1995 .-- February 22.

49. Organization of the activities of information workers of the mountains-railing bodies of internal affairs: Sat. materials for classes in the system of service training / Ed. Yu.A. Bunichev. - M .: GITs MVD RF, 1995.

50. Basics of automation of management in internal affairs bodies: Textbook. / Ed. V.A.Minaeva, A.P. Polezhaeva. - M .: Academy of the Ministry of Internal Affairs of the Russian Federation, 1993.

51. Fundamentals of mathematical modeling in the activities of internal affairs bodies: Textbook. manual. / Ed. V.A.Minaeva. - M .: Academy of the Ministry of Internal Affairs of the Russian Federation, 1993.

52. Pershikov V.I., Savinkov V.M.Explanatory Dictionary of Informatics. - 2nd ed. - M .: Finance and Statistics, 1995.

53. Petrovsky A., Leontiev B.Effective hacking for beginners and more. - M .: Informative book plus, 1999.

54. Polevoy N. S.Forensic Cybernetics: Textbook. - 2nd ed. - M .: Moscow State University, 1989.

55. Legal informatics and cybernetics: Textbook. / Ed. N. S. Polevoy. - M .: Legal literature, 1993.


56. Problems of programming, organization and information support of the preliminary investigation // Interuniversity. mezhved. Sat. scientific. works. - Ufa, 1989.

57. The program of computerization of the internal affairs bodies of the Russian Federation for 1991 and the near future. Approved by order of the Ministry of Internal Affairs of the Russian Federation No. 104 of 05.07.91.

58. Investigation of illegal access to computer information / Ed. I.G. Shurukhnova. - Moscow: Shchit Publishing House, 1999.

59. Simonovich S.V., Evseev G.A.Practical Informatics: A Study Guide. Universal course. - M .: AST-Press, 1998.

60. Simonovich S.V., Evseev G.A., Alekseev A.G.Special Informatics: Textbook. - M .: AST-Press, 1998.

61. Sawyer B., Foster D.L.Expert systems programming in Pascal: Translated from English. - M .: Finance and Statistics, 1990.

62. Sokovykh Yu.Yu.Qualification of crimes and informatics // Information Bulletin of the Investigative Committee of the Ministry of Internal Affairs of the Russian Federation, 1993, No. 4 (46).

63. Statistical modeling and forecasting: Textbook. manual. / Ed. A.G. Granberg. - M .: Finance and Statistics, 1990.

64. Terms of reference for the creation of an information computer network of the internal affairs bodies of the Russian Federation. Approved by the Minister of Internal Affairs on February 22, 1992

65. Federal registration of the GIC in the fight against crime. To help employees of internal affairs bodies / Ed. G.L. Lezhikova. - M .: GITs MVD RF, 1994.

66. Figurnov V.E.IBM PC for the user. - 6th ed. - M .: Infra-M, 1995.

67. Shcherbinin A.I., Ignatov L.N., Puchkov S.I., Kotov I.A.Comparative analysis of software for automation of criminal procedural activity // Information Bulletin of the Investigative Committee of the Ministry of Internal Affairs of the Russian Federation. - 1993. - No. 3 (46). - S. 73 - 82.

68. Shcherbinin A.I., Ilyin S.K., Ignatov L.N.The use of personal computers in the investigation of complex multi-episode cases of embezzlement in the banking sector // Information Bulletin of the Investigative Committee of the Ministry of Internal Affairs of the Russian Federation. - 1993. - No. 4 (46).

69. Expert systems. How it works and examples. - M .: Radio and communication, 1987.

70. Yaromich S.A.Informatics Around Us: A Reference Dictionary. - Odessa: Mayak, 1991.

COMPUTER VIRUSES, THEIR CLASSIFICATION. ANTI-VIRUS SOFTWARE

Computer virus - this is a special program that can spontaneously attach to other programs and, when the latter are launched, perform various undesirable actions: damage to files and directories; distortion of calculation results; clogging or erasing memory; interference with the computer. The presence of viruses manifests itself in different situations.

  1. Some programs stop working or start to work incorrectly.
  2. Extraneous messages, signals and other effects are displayed on the screen.
  3. The computer slows down significantly.
  4. The structure of some files is corrupted.

There are several signs of classification of existing viruses:

  • by habitat;
  • by the affected area;
  • by the features of the algorithm;
  • by the method of infection;
  • for destructive opportunities.

By habitat, file, boot, macro and network viruses are distinguished.

File viruses are the most common type of viruses. These viruses infiltrate executable files, create companion files (companion viruses), or exploit the organization of the file system (link viruses).

Boot viruses write themselves to the boot sector of the disk or to the boot sector of the hard disk. Starts when the computer boots up and usually becomes resident.

Macro viruses infect files of widely used data processing packages. These viruses are programs written in the programming languages \u200b\u200bbuilt into these packages. The most widespread are macro viruses for Microsoft Office applications.

Network viruses use protocols or commands of computer networks and e-mail for their distribution. The basic principle of a network virus is the ability to independently transfer its code to a remote server or workstation. Full-fledged computer viruses have the ability to run their code on a remote computer for execution.

In practice, there are various combinations of viruses - for example, file-boot viruses that infect both files and boot sectors of disks, or network macro viruses that infect edited documents and send copies of themselves by e-mail.

As a rule, each virus infects files of one or several operating systems. Many boot viruses alsofocused on specific formats of the location of system data in the boot sectors of disks. By the features of the algorithm, resident are distinguished; viruses, stealth viruses, polymorphic, etc. Resident viruses are capable of leaving their copies in the operating system, intercepting event processing (for example, access to files or disks) and invoking objects (files or sectors) infecting procedures. These viruses are active in memory not only when the infected program is running, but also after. Resident copies of such viruses are viable until the OS is rebooted, even if all infected files are destroyed on the disk. If a memory resident virus is also bootable and is activated when the OS boots, then even formatting the disk if this virus is present in the memory will not delete it.

Macroviruses should also be classified as resident viruses, since they are constantly present in the computer's memory while the infected editor is running.

Stealth algorithms allow viruses to completely or partially hide their presence. The most common stealth algorithm is intercepting OS requests for reading / writing infected objects. In this case, stealth viruses either temporarily heal these objects, or substitute uninfected areas of information for themselves. Partly a small group of macro viruses that store their main code not in macros, but in other areas of the document, in its variables or in Auto-text, are referred to as stealth viruses.

Polymorphism (self-encrypting) is used to complicate virus detection. Polymorphic viruses are hard-to-detect viruses that do not have a permanent piece of code. In general, two samples of the same virus do not match. This is achieved by encrypting the main body of the virus and modifying the decryption program.

When creating viruses, non-standard techniques are often used. Their use should make the detection and removal of the virus as difficult as possible.

Trojans, hidden administration utilities, Intended viruses, etc. are distinguished by the method of infection.

Trojans get their name from the Trojan horse. The purpose of these programs is to imitate any useful programs, new versions of popular utilities or add-ons to them. When the user writes them to his computer, the Trojans are activated and perform unwanted actions.

Covert administration utilities are a type of Trojan horse. In terms of their functionality and interface, they are in many ways reminiscent of the systems for administering computers in the network, developed and distributed by various companies - manufacturers of software products. During installation, these utilities independently install a hidden remote control system on the computer. As a result, it becomes possible to covertly control this computer. Implementing the embedded algorithms, the utilities, without the user's knowledge, accept, launch or send files, destroy information, Erezboot the computer, etc. It is possible to use these utilities to detect and transfer passwords and other confidential information, launch viruses, and destroy data.

Intended viruses include programs that are unable to replicate due to errors existing in them. This class also includes viruses that replicate only once. Having infected any file, they lose the ability to further multiply through it.

According to their destructive capabilities, viruses are divided into:

  1. harmless, the effect of which is limited to a decrease in free memory on the disk, slowdown of the computer, graphic and sound effects;
  2. dangerous, which can potentially lead to violations in the structure of files and malfunctions of the computer;
  3. very dangerous, in the algorithm of which data destruction procedures are specially laid down and the ability to ensure rapid wear of moving parts of mechanisms by introducing resonance and destroying the read / write heads of some hard disk drives.

To combat viruses, there are programs that can be divided into main groups: monitors, detectors, doctors, inspectors and vaccines.

Monitor programs (filter programs) are resident in the computer's operating system, interceptand inform the user about OS hits that are used by viruses to multiply and cause damage. The user has the ability to allow or deny the execution of these calls. The advantage of such programs is the ability to detect unknown viruses. Using filter programs allows you to detect viruses at an early stage of computer infection. The disadvantages of the programs are the inability to track viruses that access the BIOS directly, as well as boot viruses that are activated before the anti-virus starts when DOS boots, and the frequent issuance of requests for operations.

Detector programs check if there is a virus-specific combination of bytes in files and on disks. If it is detected, a corresponding message is displayed. The disadvantage is the ability to protect only against known viruses.

Doctor programs restore infected programs by removing the virus body from them. Usually, these programs are designed for specific types of viruses and are based on comparing the sequence of codes contained in the body of the virus with the codes of the programs being scanned. Doctor programs need to be periodically updated in order to receive new versions that detect new types of viruses.

Auditor programs analyze changes in the state of files and system areas of the disk. Check the status of the boot sector and FAT table; file length, attributes and creation time; checksum of codes. The user is informed of the identification of inconsistencies.

Vaccine programs modify programs and risks in such a way that this does not affect the operation of the programs, but the virus that is being vaccinated against considers the programs or disks already infected. The existing anti-virus programs are mainly of the hybrid class (detectors-doctors, doctors-inspectors, etc.).

In Russia, the most widely used anti-virus programs of Kaspersky Lab (Anti-IViral Toolkit Pro) and DialogueNauka (Adinf, Dr.Web). The anti-virus package AntiViral Toolkit Pro (AVP) includes an AVP Scanner, a resident AVP Monitor watchdog, a program for administering installed components. Control Center and a number of others. AVP Scanner, in addition to traditional scanning of executable files and document files, processes e-mail databases. Using the scanner allows you to detect viruses in packed and archived files (not protected by passwords). Detects and removes macroviruses, polymorphic, stele, Trojans, as well as previously unknown viruses. This is achieved, for example, through the use of heuristic analyzers. Such analyzers simulate the operation of the processor and analyze the actions of the diagnosed file. Depending on these actions, a decision is made on the presence of a virus.

The monitor monitors typical virus penetration routes, such as file and sector access operations.

AVP Control Center is a service shell designed to set the start time of the scanner, automatically update package components, etc.

In case of infection or suspicion of a computer infection with a virus, you must:

  1. assess the situation and not take actions that lead to the loss of information;
  2. restart the computer OS. In this case, use a special, previously created and write-protected system diskette. This will prevent the activation of boot and memory resident viruses from the computer hard disk;
  3. run existing anti-virus programs until all viruses have been detected and removed. If it is impossible to remove the virus and if the file contains valuable information, archive the file and wait for the release of the new version of the antivirus. When finished, restart your computer.

Lecture 14 Computer viruses

Classification of computer crimes.

Computer viruses, their properties and classification

Properties of computer viruses

First of all, a virus is a program. Such a simple statement by itself can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. The legends of killer viruses “killing operators by displaying a deadly color gamut in the 25th frame” should also not be taken seriously.

A virus is a program with the ability to reproduce itself. This ability is the only one common to all types of viruses. But viruses are not the only ones capable of reproducing themselves. Any operating system and many more programs are able to create their own copies. Copies of the virus not only do not have to completely coincide with the original, but may not coincide with it at all!

A virus cannot exist in "complete isolation": today it is impossible to imagine a virus that does not use the code of other programs, information about the file structure, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.

Virus classification

    habitat

    the way of contamination of the habitat

    impact

    algorithm features

Depending on the habitat, viruses can be divided into network, file, boot and file-boot.

Network virusesdistributed to various computer networks.

File virusesare embedded mainly in executable modules, that is, in files with the COM and EXE extensions. File viruses can inject into other types of files, but, as a rule, recorded in such files, they never gain control and, therefore, lose their ability to replicate.

Boot virusesare embedded in the boot sector of the disk (Boot sector) or in the sector containing the boot program for the system disk (MasterBootRe-cord).

File bootviruses infect both files and boot sectors of disks.

By the method of infection, viruses are divided into resident and non-resident.

Memory resident viruswhen a computer is infected (infected), it leaves its resident part in RAM, which then intercepts the operating system's access to the objects of infection (files, boot sectors of disks, etc.) and is embedded in them. Resident viruses reside in memory and remain active until the computer is shut down or restarted.

Non-memory resident virusesdo not infect computer memory and are active for a limited time.

According to the degree of exposure, viruses can be divided into the following types:

    non-hazardousthat do not interfere with the operation of the computer, but reduce the amount of free RAM and memory on disks, the actions of such viruses are manifested in any graphic or sound effects

    dangerousviruses that can lead to various disruptions to the computer

    very dangerous, the impact of which can lead to loss of programs, destruction of data, erasure of information in the system areas of the disk.

It is difficult to classify viruses by the peculiarities of the algorithm due to their wide variety.

replicator virusescalled worms, which spread over computer networks, calculate the addresses of network computers and write copies of themselves at these addresses.

Known invisible virusescalled stealth viruses, which are very difficult to detect and neutralize, since they intercept the operating system's calls to the infected files and disk sectors and substitute uninfected disk areas instead of their bodies.

Most difficult to find mutant virusescontaining encryption-decryption algorithms, thanks to which copies of the same virus do not have a single repeated byte string. There are also so-called quasi-viralor Trojanprograms that, although not capable of self-propagation, are very dangerous, since, disguising themselves as a useful program, they destroy the boot sector and the file system of the disks.

Boot viruses

Let's consider the operation of a very simple boot virus that infects floppy disks. (boot-sector).

Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, an unwritten and not yet infected floppy disk, it proceeds to infect. Infecting a floppy disk, the virus performs the following actions:

    allocates a certain area of \u200b\u200bthe disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case the sectors occupied by the virus are marked as bad (bad)

    copies its tail and original (healthy) boot sector to the selected disk area

    replaces the boot program in the boot sector (present) with his head

    organizes the chain of transfer of control according to the scheme.

Thus, the virus head is now the first to gain control, the virus is installed in memory and transfers control to the original boot sector.

File viruses

Let us now consider how a simple file virus works.

Unlike boot viruses, which are almost always memory resident, file viruses are not necessarily memory resident. Let's consider the operation scheme of a non-memory resident file virus. Suppose we have an infected executable file. When such a file is launched, the virus gains control, performs some actions and transfers control to the "master"

What does the virus do? It looks for a new object to be infected - a file of a suitable type that has not yet been infected. By infecting a file, the virus injects itself into its code to gain control when the file is run. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - it already depends on the imagination of the author of the virus. If the file virus is memory resident, it will be installed in memory and will be able to infect files and display other abilities not only while the infected file is running. By infecting an executable file, a virus always changes its code - therefore, an infection of an executable file can always be detected.

But, by changing the file code, the virus does not necessarily make other changes:

    he is not obliged to change the length of the file

    unused sections of code

    is not obliged to change the beginning of the file

Thus, when any file is launched, the virus gains control (the operating system launches it itself), installs itself into memory and transfers control to the called file.

Boot-file viruses

The main destructive action is encryption of sectors of the hard drive. At each launch, the virus encrypts the next portion of the sectors, and, having encrypted half of the hard disk, happily reports it. The main problem in the treatment of this virus is that it is not enough just to remove the virus from the files, it is necessary to decrypt the information encrypted by it.

Polymorphic viruses

This type of computer viruses seems to be the most dangerous today. Let's explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.

Such viruses not only encrypt their code using various encryption paths, but also contain the encryption and decryptor generation code, which distinguishes them from conventional encryption viruses, which can also encrypt portions of their code, but at the same time have a permanent encryption and decryptor code.

Polymorphic viruses are viruses with self-modifying decryptors. The purpose of this encryption: having the infected and original files, you still cannot analyze its code using ordinary disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself already at runtime. At the same time, options are possible: he can decrypt himself all at once, or he can perform such decryption "along the way", he can re-encrypt the already used sections. All this is done to make it difficult to analyze the virus code.

Stealth viruses

Stealth viruses trick antivirus programs and go unnoticed as a result. However, there is an easy way to disable the stealth virus masking mechanism. It is enough to boot the computer from a non-infected system floppy disk and immediately, without launching other programs from the computer disk (which may also be infected), check the computer with an anti-virus program.

© 2020 ruwrz.ru. Colds. Causes, symptoms, treatment.