Page 1464 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1464

level, a hash is a number used to summarize the contents of a file. As
               long as the file stays the same, the hash will stay the same. If the file is

               modified, even slightly, the hash will change dramatically, indicating
               that the file has been modified. Unless the action seems explainable,
               for instance if it happens after the installation of new software,
               application of an operating system patch, or similar change, sudden
               changes in executable files may be a sign of malware infection.


               Virus Technologies

               As virus detection and eradication technology rises to meet new

               threats programmed by malicious developers, new kinds of viruses
               designed to defeat those systems emerge. This section examines four
               specific types of viruses that use sneaky techniques in an attempt to
               escape detection—multipartite viruses, stealth viruses, polymorphic
               viruses, and encrypted viruses.

               Multipartite Viruses Multipartite viruses use more than one
               propagation technique in an attempt to penetrate systems that defend

               against only one method or the other. For example, the Marzia virus
               discovered in 1993 infects critical COM and EXE files, most notably
               the command.com system file, by adding 2,048 bytes of malicious code to
               each file. This characteristic qualifies it as a file infector virus. In
               addition, two hours after it infects a system, it writes malicious code to
               the system’s master boot record, qualifying it as a boot sector virus.

               Stealth Viruses Stealth viruses hide themselves by actually

               tampering with the operating system to fool antivirus packages into
               thinking that everything is functioning normally. For example, a
               stealth boot sector virus might overwrite the system’s master boot
               record with malicious code but then also modify the operating
               system’s file access functionality to cover its tracks. When the antivirus
               package requests a copy of the MBR, the modified operating system
               code provides it with exactly what the antivirus package expects to see

               —a clean version of the MBR free of any virus signatures. However,
               when the system boots, it reads the infected MBR and loads the virus
               into memory.

               Polymorphic Viruses Polymorphic viruses actually modify their
   1459   1460   1461   1462   1463   1464   1465   1466   1467   1468   1469