3
Often viruses are attached to an .exe file.
Are executables main target of viruses so as to cause maximum (rather faster) harm on the destination side?
Are there any other formats of files or any other ways which are equally or more harmful than executables?
(I am using the term "virus" in a generic manner)
3
Viruses that attach themselves to executables belong mostly to the past, when viruses were simple and easy to detect.
Today's viruses are themselves harmful executables, DLLs, BHOs, Java applets or Javascript scripts. The aim is to trick you into executing these at least once (which is one too many), where they take control of your computer.
They hide in various places, even in the BIOS, which means that even the old and trusted method of reformating the hard disk may not get rid of them.
One virus is even a complete operating system by itself, so that it takes over the computer and runs your own O/S as a virtual machine. It corrupts the MBR to boot the virus, rather than your system. That means that no tools at your disposition can find even the smallest hint of its presence, and its use of the network card is invisible to your own O/S.
Today's viruses are the product of organized crime. We no longer have to deal with script kiddies, but rather with organized teams whose budgets may exceed those of law-enforcement agencies. Some estimates put the average banks lose from fraud at 5% of the yearly income. Just try to imagine the enormous sums that are involved and the percentage of this "crime-tax" on the world economy!
harrymc
Posted 2009-10-25T08:38:22.883
Reputation: 306 093
1
Yes executables are main target of viruses.Actually all PE files(like sys dll etc) could be the target of viruses.
Other targets are js files,autorun.inf,registry file,or even pdfs,htmls,pictures,movies(becuase these are bugs in these file formats or bugs parsing these files) could also be target.
And there are some virus target at firmware like BIOS,netowrk interface card BIOS.etc.
Jichao
Posted 2009-10-25T08:38:22.883
Reputation: 5 245
0
There are alot of viruses and worms that reside in scripts. The code within the virus wont appear to be malicious, but when combined with faulty software, they often can be used to inflict damage.
Andrew Keith
Posted 2009-10-25T08:38:22.883
Reputation: 356
0
There was a time screen saver files were very harmful..
But its an EXE with a different extension - Thus making people think SCR files can't be harmful.
I don't know about any other runnable extensions to windows.. So that's probably the reason why exes are the most virus infested files.
0
pavium
Posted 2009-10-25T08:38:22.883
Reputation: 5 956
0
Many virusses are indeed EXE's.
All system files from Windows are targets for virusses, this is why Windows lacks at security.
Still there is NO need to not open any EXE's later on. But, make sure you verified the source before opening it. Also a could antivirus could make sure you open no virusses.
You cannot ensure yourself you do not open a virus. This is why I use mainly Mac; it is better protected against virusses because system files cannot be used easily to make virusses.
Hope i could help you.
Deniz Zoeteman
Posted 2009-10-25T08:38:22.883
Reputation: 1 001
to answer your question from another thread, about command line virus scanners, there are quite a few, F-Prot for example, or the one i have been using, A-squared command line scanner (which is indeed one of most efficient scanners in terms of speed and detection rate): http://www.emsisoft.com/en/software/cmd/
– None – 2009-12-29T16:57:14.287I get that, but i want to state this again; that program was in no way a virus. almost, or all antiviruses give false positives sometimes. The prob is just that it edits the registry probably. (with 'edit' i mean removing certain is2010 trees) – Deniz Zoeteman – 2010-01-01T19:14:32.617
Sources for any of this? I've seen white papers saying BIOS infections are possible, but I've never heard of one in the wild. As for an undetectable virus that virtualizes your OS. I believe you're referring to Blue Pill, which is very detectable. The creator wouldn't even put it up against rootkit detectors at Black Hat 3 years ago. Also the use of the NIC is certainly not invisible. Traffic has to go out of the physical NIC whether it's being encapuslated by a virtual one first or not. Also, there are a lot of commercial viruses but I think you seriously overestimate their budget – MDMarra – 2009-10-25T13:55:48.300
@MarkM: Do you know that experts seeing the daily mutations of Conficker have concluded that there were at least 20 programmers in the team behind it? – harrymc – 2009-10-25T15:14:50.893
Yeah, 20 programmers hardly exceed the budget of an average law enforcement agency. You have some decent points but there is a lot of sensationalism in the answer. I don't want to edit your answer for you even though it's a CW, but I feel strongly that you need to turn down some of the extreme examples you've listed as their either theory only, or borderline exaggurated. – MDMarra – 2009-10-25T16:09:47.380
@MarkM: Hard to believe, isn't it? I've collected these facts from many articles I've read and several security magazines. Some articles were really scary. Anyway, based on Blue Pill a virus was actually developed as an open-source project, duping hundreds of innocents as collaborators. I believe it was discovered early and neutered. There's more money to gain in computer fraud than in drug dealing, and much less risk, as organized crime is fully aware of. – harrymc – 2009-10-25T17:36:16.147
Blue Pill was a lot of FUD. Since some x86 instructions cannot be virtualized, a proper rootkit scanner will identify it immediately. It is an open source project and was never in the wild, as it was never able to be delivered remotely. It was demoed at Black Hat and then died promptly. As for firmware infections - Sure it's possible, but pretty much anything is possible in theory. There are no known exploits that will allow a virus to infect firmware. All of these worst-case scenerios that you've listed are only a threat if the attack has physical access. This makes them no threat at all. – MDMarra – 2009-10-25T17:52:18.920
Physical access is what the name of the game is trying to dupe people into executing malware. It's possible, even probable, that some of the articles I've read were journalistically pumped-up. However, I'm also quite sure that there are currently teams of brilliant programmers at work trying to bring them into reality or fixing their shortcomings. My answer above was intended to motivate people to take some necessary precautions and be aware of the shortcomings of antivirus products. – harrymc – 2009-10-25T18:05:05.573
@ harrymc - I meant a highly interactive process. Not tricking a novice end using into running a single executable. Regardless, the claims that Blue Pill is undetectable is wrong, and the line where you say .exe based viruses are dead is also very very wrong. Part of my job (which is in networking) is managing three McAfee EPO servers. I get all of the Avert bulletins and deal with the control of outbreaks when a serious threat pops up. Believe me when I say it's important to educate users about the possible threats, but almost everything in your post is blown way out of proportion – MDMarra – 2009-10-25T18:33:13.940
I didn't say exe viruses are dead, just that they are no longer the mainstream effort of virus writers. The mainstream is finding new infection vectors and hidey holes. And, yes, I blew things a bit out of proportion, as I always do when it's time to frighten new network administrators. – harrymc – 2009-10-25T18:40:02.337
Haha, well good luck with that practice. I prefer to give people new to the field accurate information when they are learning. To each his own – MDMarra – 2009-10-25T18:43:46.633
I started doing that after one told me that after 6 years there can be no more security weaknesses left in server 2003 ... Fear of the unknown is healthy. – harrymc – 2009-10-25T20:05:53.020
Being cautious of the unknown is always good. The details of the exploits mentioned in your answer are known though... – MDMarra – 2009-10-25T20:14:12.550