Malicious software means any program created and used to carry out unauthorized and often harmful actions. Typically, it includes all sorts of viruses, worms, Trojans, keyloggers, password stealing programs, macro viruses, boot sector viruses, script viruses, rogue software, spyware and adware. Unfortunately, this is a far from complete list, which is updated every year with more and more types of malicious programs, which in this material we will often refer to as a common word - viruses.
The motives for writing computer viruses can be very different: from a banal desire to test your skills in programming to a desire to harm or get illegal income. For example, some viruses do almost no harm, but only slow down the machine by multiplying, littering the computer's hard disk or producing graphic, sound and other effects. Others can be very dangerous, leading to the loss of programs and data, erasure of information in the system memory areas, and even to the failure of parts of the hard disk.
VIRUS CLASSIFICATION
At the moment, there is no clear classification of viruses, although there are certain criteria for their separation.
Virus habitat
First of all, malware is divided according to its habitat (by the objects it targets). The most common type of malware is file viruses that infect executable files and are activated every time an infected object is launched. It is not for nothing that some mail services (for example, the Gmail service) do not allow sending e-mails with executable files attached to them (files with the .EXE extension). This is done in order to protect the recipient from receiving a letter with a virus. Getting onto a computer via a network or any storage medium, such a virus does not wait for it to be launched, but starts automatically and performs the malicious actions for which it is programmed.
This does not mean at all that all executable files are viruses (for example, installation files also have the .exe extension), or that viruses only have the exe extension. They can have the inf, msi extension, and in general they can be without extension or attached to existing documents (infecting them).
The next type of viruses has its own characteristic feature; they are registered in the boot areas of disks or sectors containing the boot loader. As a rule, such viruses are activated at the time of loading the operating system and are called boot sector viruses .
Infected objects macro viruses serve as document files, which include both text documents and spreadsheets developed in macro languages. Most viruses of this type are written for the popular text editor MS Word.
Finally, network or script viruses to multiply, use computer network protocols and scripting language commands. Recently, this type of threat has become very widespread. For example, cybercriminals often use JavaScript vulnerabilities to infect a computer, which is actively used by almost all website developers.
Virus algorithms
Another criterion for separating malicious programs is the features of the algorithm of their work and the technologies used in this. In general, all viruses can be divided into two types - resident and non-resident. Resident are located in the computer's RAM and are active until it is turned off or rebooted. Non-resident, memory does not infect and are active only at a certain point in time.
Satellite viruses (companion viruses) do not modify executable files, but create copies of them with the same name, but with a different, higher priority extension. For example, the xxx.COM file will always be launched earlier than xxx.EXE due to the specifics of the Windows file system. Thus, the malicious code is executed before the original program, and then only the program itself.
Worm viruses are independently distributed in catalogs of hard drives and computer networks, by creating their own copies there. The use of vulnerabilities and various administrative errors in programs allows worms to spread completely autonomously, selecting and attacking users' machines in automatic mode.
Invisible viruses (stealth viruses) try to partially or completely hide their existence in the OS. To do this, they intercept the operating system's access to infected files and disk sectors and substitute uninfected areas of the disk, which greatly interferes with their detection.
Ghost viruses (polymorphic or self-encrypting viruses) have an encrypted body, so that two copies of the same virus do not have the same parts of the code. This circumstance greatly complicates the procedure for detecting such threats, and therefore this technology is used by almost all types of viruses.
Rootkits allow attackers to hide their traces in a compromised operating system. These kinds of programs are engaged in hiding malicious files and processes, as well as their own presence in the system.
Additional functionality
Many malicious programs contain additional functionality that not only makes it difficult to detect them on the system, but also allows attackers to control your computer and obtain the data they need. These viruses include backdoors (system cracker), keyloggers (keyloggers), spyware, botnets, and others.
Affected operating systems
Various viruses can be designed to operate on specific operating systems, platforms and environments (Windows, Linux, Unix, OS / 2, DOS). Of course, the vast majority of malware is written for the world's most popular Windows system. At the same time, some threats work only in Windows 95/98, some only in Windows NT, and some only in 32-bit environments, without infecting 64-bit platforms.
SOURCES OF THREATS
One of the primary tasks of cybercriminals is to find a way to deliver an infected file to your computer and force it to activate there. If your computer is not connected to a computer network and does not exchange information with other computers via removable media, you can be sure that it is not afraid of computer viruses. The main sources of viruses are:
- A floppy disk, laser disk, flash card or any other removable media containing virus-infected files;
- A hard disk that got a virus as a result of working with infected programs;
- Any computer network, including local area network;
- E-mail and messaging systems;
- Global Internet network;
TYPES OF COMPUTER THREATS
It’s probably no secret for you that today the main source of viruses is the worldwide global network. What types of computer threats can any ordinary user of the global Internet face?
- Cybervandalism ... Distribution of malware in order to damage user data and disable the computer.
- Fraud ... Distribution of malware to generate illegal income. Most of the programs used for this purpose allow attackers to collect confidential information and use it to steal money from users.
- Hacker attacks ... Hacking individual computers or entire computer networks in order to steal confidential data or install malware.
- Phishing ... Creation of fake sites that are an exact copy of existing ones (for example, a bank site) in order to steal confidential data when users visit them.
- Spam ... Anonymous bulk e-mails that clog users' inboxes. As a rule, they are used to advertise goods and services, as well as phishing attacks.
- Adware ... Distribution of malware that runs ads on your computer or redirects searches to paid (often pornographic) websites. Often it is built into free or shareware programs and installed on the user's computer without his knowledge.
- Botnets ... Zombie networks consisting of computers infected with the Trojan (including your PC), controlled by one owner and used for its purposes (for example, to send spam).
SYMPTOMS OF A COMPUTER INFECTION
It is very important to detect a virus that has entered your computer at an early stage. After all, until he managed to multiply and deploy a self-defense system against detection, the chances of getting rid of him without consequences are very high. You can determine the presence of a virus on your computer yourself, knowing the early signs of its infection:
- Reducing the amount of free RAM;
- Strong slowdown in the loading and operation of the computer;
- Incomprehensible (for no reason) changes in files, as well as changes in the size and date of their last change;
- Errors when loading the operating system and during its operation;
- Inability to save files in specific folders;
- Incomprehensible system messages, music and visual effects.
If you find that some files have disappeared or cannot be opened, the operating system cannot be loaded, or the hard disk has been formatted, then the virus has entered an active phase and you cannot get rid of a simple scan of your computer with a special antivirus program. You may need to reinstall your operating system. Or run disinfection tools from an emergency boot disk, since the antivirus installed on the computer has probably lost its functionality due to the fact that it has also been modified or blocked by malware.
However, even if you manage to get rid of the infected objects, it is often impossible to restore the normal functionality of the system, since important system files may be irretrievably lost. At the same time, remember that your important data may be at risk of destruction, be it photos, documents or a collection of music.
To avoid all these troubles, you must constantly monitor the anti-virus protection of your computer, as well as know and follow the basic rules of information security.
ANTI-VIRUS PROTECTION
To detect and neutralize viruses, special programs are used, which are called "antivirus programs" or "antiviruses". They block unauthorized access to your information from the outside, prevent infection with computer viruses and, if necessary, eliminate the consequences of infection.
Antivirus protection technologies
Now, let's take a look at the anti-virus protection technologies used. The presence of this or that technology in the anti-virus package depends on how the product is positioned on the market and affects its final cost.
File antivirus. A component that controls the file system of a computer. It checks all opened, launched and saved files on your computer. If known viruses are found, as a rule, you are prompted to disinfect the file. If for some reason this is not possible, then it is deleted or moved to quarantine.
Mail antivirus. Provides protection of incoming and outgoing mail and checks it for dangerous objects.
Web antivirus. Performs anti-virus scanning of traffic transmitted over the Internet protocol HTTP, which ensures the protection of your browser. Monitors all running scripts for malicious code, including Java-script and VB-script.
IM antivirus. Responsible for the security of working with instant messengers (ICQ, MSN, Jabber, QIP, Mail.RUAgent, etc.) checks and protects information received via their protocols.
Control of programs.
This component registers the actions of programs running in your operating system and regulates their activity based on the established rules. These rules govern the access of programs to various system resources.
Firewall
(firewall). Ensures the security of your work in local networks and the Internet, monitoring the activity in incoming traffic, typical for network attacks that exploit vulnerabilities in operating systems and software. All network connections are subject to rules that allow or deny certain actions based on the analysis of certain parameters.
Proactive defense. This component is designed to identify dangerous software based on the analysis of its behavior in the system. Malicious behavior may include: activity typical of Trojans, access to the system registry, self-copying of programs in various areas of the file system, interception of keyboard input, injection into other processes, etc. Thus, an attempt is made to protect the computer not only from already known viruses, but also from new ones that have not yet been investigated.
Anti-Spam. Filters all incoming and outgoing mail for unwanted messages (spam) and sorts it depending on the user's settings.
Anti-Spy. The most important component designed to combat fraud on the Internet. Protects against phishing attacks, backdoor programs, downloaders, vulnerabilities, password crackers, data hijackers, keyboard interceptors and proxy servers, automatic dialers to paid websites, jokes, adware, and annoying banners.
Parental control. This is a component that allows you to set restrictions on access to the use of a computer and the Internet. With this tool, you can control the launch of various programs, Internet use, visits to websites depending on their content, and much more, thereby protecting children and adolescents from the negative impact of working on the computer.
Safe environment or sandbox (Sandbox). Limited virtual space that blocks access to system resources. Provides secure work with applications, documents, Internet resources, as well as with Internet banking web resources, where security when entering confidential data is of particular importance. It also allows you to run unsafe applications inside itself without the risk of infecting the system.
Basic rules of anti-virus protection
Strictly speaking, there is no universal way to fight viruses. Even if your computer is equipped with the most modern antivirus software, this absolutely does not guarantee the fact that your system will not be infected. After all, viruses appear first, and only then only a cure for them. And despite the fact that many modern anti-virus solutions have systems for detecting unknown threats, their algorithms are imperfect and do not provide you with 100% protection. But, if you adhere to the basic rules of anti-virus protection, then there is an opportunity to significantly reduce the risk of infection of your computer and loss of important information.
- Your operating system should have a regularly updated, good antivirus program installed.
- The most valuable data should be backed up.
- Divide your hard drive into multiple partitions. This will isolate important information and not keep it on the system partition where your OS was installed. After all, it is he who is the main target of attackers.
- Do not visit websites with questionable content, and especially those that are involved in the illegal distribution of content, keys and key generators for paid programs. As a rule, in addition to free "freebies", there is a huge number of malicious programs of all varieties.
- When using email, do not open or launch email attachments from letters from unknown recipients.
- All lovers of communication using Internet pagers (QIP, ICQ) should also beware of downloading files and clicking on links sent by unfamiliar contacts.
- Social media users should be doubly careful. Recently, they have become the main targets of cyber fraudsters who come up with multiple schemes to steal users' money. A request to indicate your confidential data in questionable messages should alert you immediately.
CONCLUSION
We think that after reading this material, you now understand how important it is to take seriously the issue of the security and protection of your computer from intruders and attacks by malicious programs.
At the moment, there are a huge number of companies that are developing antivirus software and, as you understand, it will not be difficult to get confused with its choice. But this is a very crucial moment, since it is the antivirus that is the wall that protects your system from the stream of infection pouring from the network. And if this wall has a lot of gaps, then there is zero sense in it.
To make it easier for ordinary users to choose the right PC protection, on our portal we test the most popular antivirus solutions, getting acquainted with their capabilities and user interface. The latest is available for review, and a new overview of the latest products in this area awaits you soon.
Router manufacturers often do not care too much about the quality of the code, so vulnerabilities are not uncommon. Today, routers are the primary target of network attacks, allowing them to steal money and data bypassing local security systems. How to check the quality of the firmware and the adequacy of the settings yourself? Free utilities, online check services and this article will help you with this.
Consumer-grade routers have always been criticized for their unreliability, but the high price tag does not guarantee high security. Last December, Check Point specialists discovered over 12 million routers (including top models) and DSL modems that could be hacked due to a vulnerability in the mechanism for obtaining automatic settings. It is widely used to quickly configure customer premises equipment (CPE). For the past ten years, providers have been using the CPE WAN Management Protocol (CWMP) for this. The TR-069 specification provides for the ability to use it to send settings and connect services through an Auto Configuration Server (ACS). Check Point employees found that many routers have an error in processing CWMP requests, and providers make the situation even more complicated: most of them do not encrypt the connection between ACS and the client's equipment in any way and do not restrict access by IP or MAC addresses. Together, this creates the conditions for an easy man-in-the-middle attack.
Through a vulnerable CWMP implementation, an attacker can do almost anything: set and read configuration parameters, reset settings to default values, and reboot the device remotely. The most common type of attack involves changing the DNS addresses in the router settings to servers controlled by the attacker. They filter web requests and redirect those containing calls to banking services to fake pages. Fake pages were created for all popular payment systems: PayPal, Visa, MasterCard, QIWI and others.
The peculiarity of such an attack is that the browser runs in a clean OS and sends a request to the correctly entered address of a real payment system. Checking the computer's network settings and scanning for viruses on it do not reveal any problems. Moreover, the effect persists if you connect to the payment system through a jailbroken router from another browser or even from another device on your home network.
Since most people rarely check the settings of the router (or even trust this process to the provider's technicians), the problem goes unnoticed for a long time. They usually find out about it by the method of elimination - after the money was stolen from the accounts, and the check of the computer gave nothing.
To connect to a router using CWMP, an attacker uses one of the common vulnerabilities typical of entry-level network devices. For example, they contain a third party RomPager web server written by Allegro Software. Many years ago, a bug in the processing of cookies was discovered in it, which was promptly corrected, but the problem remains to this day. Since this web server is part of the firmware, it is not possible to update it in one fell swoop on all devices. Each manufacturer had to release a new release for hundreds of already on sale models and convince their owners to download the update as soon as possible. As practice has shown, none of the home users did this. Therefore, the number of vulnerable devices goes into the millions, even ten years after the release of the fixes. Moreover, the manufacturers themselves continue to use the old vulnerable version of RomPager in their firmware to this day.
In addition to routers, the vulnerability affects VoIP phones, network cameras and other equipment that allows remote configuration via CWMP. Usually port 7547 is used for this. You can check its status on the router using Steve Gibson's free Shields Up service. To do this, type its URL (grc.com) and then add / x / portprobe = 7547.
The screenshot shows only a positive result. Negative does not yet guarantee that there is no vulnerability. To eliminate it, you will need to conduct a full-fledged penetration test - for example, using a Nexpose scanner or the Metasploit framework. Developers themselves are often not ready to say which version of RomPager is used in a particular release of their firmware and whether it is there at all. This component is definitely not available only in alternative open source firmware (we will talk about them further).
Registering a secure DNS
It's a good idea to check your router settings more often and immediately register alternative DNS server addresses with your hands. Here are some of them available for free.
- Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
- Norton ConnectSafe: 199.85.126.10, 199.85.127.10
- Google Public DNS: 8.8.8.8, 2001: 4860: 4860: 8888 - for IPv6
- OpenDNS: 208.67.222.222, 208.67.220.220
All of them block only infected and phishing sites, without restricting access to adult resources.
Unplug and pray
There are other well-known problems that the owners of network devices or (less often) their manufacturers do not want to fix. Two years ago, DefenseCode experts discovered a whole set of vulnerabilities in routers and other active network equipment of the nine largest firms. All of them are associated with incorrect software implementation of key components. In particular, the UPnP stack in firmware for Broadcom chips or using old versions of the open library libupnp. Together with Rapid7 and CERT specialists, DefenseCode employees found about seven thousand vulnerable device models. Over half a year of active scanning of a random range of IPv4 addresses, over 80 million hosts were identified that responded to a standard UPnP request for a WAN port. One in five of them supported the Simple Object Access Protocol (SOAP) service, and 23 million allowed arbitrary code to be executed without authorization. In most cases, an attack on routers with such a UPnP hole is performed through a modified SOAP request, which leads to a data processing error and the rest of the code entering an arbitrary area of the router's RAM, where it is executed with superuser rights. On home routers, it is better to disable UPnP altogether and make sure that requests to port 1900 are blocked. The same service from Steve Gibson will help in this. UPnP (Universal Plug and Play) is enabled by default on most routers, network printers, IP cameras, NAS and overly smart home appliances. It is enabled by default on Windows, OS X, and many Linux versions. If it is possible to fine-tune its use, it is still half the trouble. If only the “enable” and “disable” options are available, then it is better to choose the latter. Sometimes manufacturers deliberately implement software bugs in network equipment. Most likely, this happens at the behest of the special services, but in the event of a scandal, the official replies always mention "technical necessity" or "proprietary service to improve the quality of communication." Embedded backdoors have been found on some Linksys and Netgear routers. They opened port 32764 to receive remote commands. Since this number does not correspond to any well-known service, this problem is easy to spot - for example, using an external port scanner.
INFO
Another way to perform a free home network audit is to download and run Avast antivirus. Its newer versions contain the Network check wizard, which identifies known vulnerabilities and dangerous network settings.
Silences are for the lambs
The most common problem with protecting routers is still factory settings. These are not only internal IP addresses, passwords and admin login common to the entire series of devices, but also included services that increase convenience at the expense of security. In addition to UPnP, Telnet remote control protocol and Wi-Fi Protected Setup (WPS) service are often enabled by default. Critical errors are often found in the processing of Telnet requests. For example, the D-Link DIR-300 and DIR-600 series routers made it possible to remotely receive a shell and execute any command through the telnetd daemon without any authorization. On the Linksys E1500 and E2500 routers, code injection via regular ping was possible. The ping_size parameter was not checked for them, as a result of which the GET method poured the backdoor onto the router in one line. In the case of the E1500, no additional authorization tweaks were required at all. The new password could simply be set without entering the current one. A similar problem was found with the Netgear SPH200D VoIP phone. Additionally, when analyzing the firmware, it turned out that a hidden service account with the same password is active in it. Using Shodan, you can find a vulnerable router in a couple of minutes. They still allow you to change any settings remotely and without authorization. You can use this immediately, or you can do a good deed: find this unfortunate user in Skype (by IP or by name) and send him a couple of recommendations - for example, change the firmware and read this article.
Supercluster of massive holes
The trouble rarely comes alone: activating WPS automatically turns on UPnP. In addition, the standard PIN or pre-authentication key used by WPS negates all WPA2-PSK level cryptographic protection. Due to firmware errors, WPS often remains enabled even after turning it off via the web interface. You can find out about this using a Wi-Fi scanner - for example, the free Wifi Analyzer app for Android smartphones. If vulnerable services are used by the administrator himself, then it will not work to refuse them. It's good if the router allows you to somehow secure them. For example, do not accept commands on the WAN port or set a specific IP address to use Telnet. Sometimes there is simply no opportunity to configure or simply disable a dangerous service in the web interface and it is impossible to close the hole using standard means. The only way out in this case is to look for a new or alternative firmware with an extended set of functions.
Alternative services
The most popular open source firmwares are DD-WRT, OpenWRT and its fork Gargoyle. They can be installed only on routers from the list of supported ones - that is, those for which the chipset manufacturer has disclosed full specifications. For example, Asus has a separate series of routers originally designed with DD-WRT in mind (bit.ly/1xfIUSf). It already has twelve models from entry to corporate level. MikroTik routers run RouterOS, which is not inferior in flexibility to the * WRT family. This is also a full-fledged network operating system based on the Linux kernel, which supports absolutely all services and any conceivable configuration. Alternative firmware today can be installed on many routers, but be careful and check the full name of the device. With the same model number and appearance, routers can have different revisions, which can hide completely different hardware platforms.
Security check
OpenSSL vulnerability testing can be performed with the free ScanNow utility from Rapid7 (bit.ly/18g9TSf) or its simplified online version (bit.ly/1xhVhrM). Online verification takes a few seconds. In a separate program, you can set a range of IP addresses, so the test takes longer. By the way, the registration fields of the ScanNow utility are not checked in any way.
After verification, a report is displayed and prompts you to try Nexpose's more advanced vulnerability scanner targeting corporate networks. It is available for Windows, Linux and VMware. Depending on the version, the free trial period is limited to a period of 7 to 14 days. Limitations apply to the number of IP addresses and scan scopes.
Unfortunately, installing an alternative open source firmware is just a way to increase protection, and it will not provide complete security. All firmwares are built on a modular basis and combine a number of key components. When a problem is found in them, it affects millions of devices. For example, a vulnerability in the OpenSSL open source library also affected routers with * WRT. Its cryptographic functions have been used to encrypt SSH remote access sessions, set up a VPN, manage a local web server, and other popular tasks. Manufacturers began to release updates pretty quickly, but the problem has not yet been completely resolved.
New vulnerabilities in routers are constantly being found, and some of them are being exploited even before a fix is released. All that the owner of the router can do is turn off unnecessary services, change the default parameters, restrict remote control, check the settings more often and update the firmware.
For some reason, the need to think about network security is considered the right only of large companies, such as Badoo, Google and Google, Yandex or Telegram, which openly announce contests for finding vulnerabilities and by all means raise the security of their products, web applications and network infrastructures. At the same time, the overwhelming majority of existing web systems contain “holes” of various kinds (a 2012 study from Positive Technologies, 90% of systems contain medium-risk vulnerabilities).
What is a network threat or network vulnerability?
The WASC (Web Application Security Consortium) has identified several base classes, each of which contains several groups, for a total of 50, common vulnerabilities, the exploitation of which could harm a company. The complete classification is laid out in the form of WASC Thread Classification v2.0, and in Russian there is a translation of the previous version from InfoSecurity - Classification of Web Application Security Threats, which will be used as the basis for the classification and significantly supplemented.
Main groups of site security threats
Insufficient authentication when accessing resources
This group of threats includes attacks based on Brute Force, Abuse of Functionality and Predictable resource allocation (). The main difference from insufficient authorization is insufficient verification of the rights (or features) of an already authorized user (for example, an ordinary authorized user can obtain administrator rights simply by knowing the address of the control panel, if sufficient access rights are not checked).
Such attacks can be effectively counteracted only at the level of application logic. Some attacks (for example, too frequent brute-force attacks) can be blocked at the network infrastructure level.
Insufficient authorization
This can include attacks aimed at the ease of brute-force access credentials or the use of any errors when checking access to the system. In addition to Brute Force techniques, this includes Credential and Session Prediction and Session Fixation.
Protection against attacks of this group presupposes a set of requirements for a reliable user authorization system.
This includes all techniques to modify the content of a website without any interaction with the server serving the requests - i.e. the threat is implemented at the expense of the user's browser (but usually the browser itself is not a "weak link": the problem lies in filtering content on the server side) or an intermediate cache server. Attack Types: Content Spoofing, Cross-Site Scripting (XSS), URL Redirector Abuse, Cross-Site Request Forgery, HTTP Response Splitting HTTP Response Smuggling, Routing Detour, HTTP Request Splitting, and HTTP Request Smuggling.
A significant part of these threats can be blocked even at the level of setting up the server environment, but web applications must also carefully filter both incoming data and user responses.
Code execution
Code execution attacks are classic examples of compromising a site through vulnerabilities. An attacker can execute his code and gain access to the hosting where the site is located by sending a prepared request to the server in a certain way. Attacks: Buffer Overflow, Format String, Integer Overflows, LDAP Injection, Mail Command Injection, Null Byte Injection, OS Command Execution ( OS Commanding), External File Execution (RFI, Remote File Inclusion), SSI Injection, SQL Injection, XPath Injection, XML Injection, XQuery Injection, and Implementation of XXE (XML External Entities).
Not all of these types of attacks can affect your site, but they are correctly blocked only at the WAF (Web Application Firewall) or data filtering level in the web application itself.
Disclosure of information
Attacks of this group are not a threat in their pure form for the site itself (since the site does not suffer from them in any way), but can harm business or be used to carry out other types of attacks. Views: Fingerprinting and Path Traversal
Correct configuration of the server environment will fully protect against such attacks. However, you also need to pay attention to the error pages of the web application (they can contain a lot of technical information) and work with the file system (which can be compromised by insufficient filtering of the input data). It also happens that links to any site vulnerabilities appear in the search index, and this in itself is a significant security threat.
Logical attacks
This group included all the remaining attacks, the possibility of which lies mainly in the limited server resources. These include Denial of Service and more targeted attacks - SOAP Array Abuse, XML Attribute Blowup, and XML Entity Expansion.
Protection against them only at the level of web applications, or blocking suspicious requests (network equipment or web proxy). But with the emergence of new types of point attacks, it is necessary to audit web applications for vulnerability to them.
DDoS attacks
As it should be clear from the classification, a DDoS attack in the professional sense is always the exhaustion of server resources in one way or another (the second D is Distributed, i.e. distributed DoS attack). Other methods (although they are mentioned in Wikipedia) have nothing to do directly with a DDoS attack, but represent one or another type of site vulnerability. There, in Wikipedia, the methods of protection are set out in sufficient detail, I will not duplicate them here.
The Internet is a limitless world of information that provides ample opportunities for communication, education, organization of work and leisure, and at the same time represents a huge, daily replenishing database that contains information about users of interest to cybercriminals. There are two main types of threats that users can be exposed to: technical and social engineering.
Related materials
The main technical threats to users are malware, botnets, and DoS and DDoS attacks.
Threat- This is a potentially possible event, an action that, by acting on the protected object, can lead to damage.
Malicious programs
The purpose of malware is to cause damage to a computer, server, or computer network. They can, for example, spoil, steal or erase data stored on the computer, slow down or completely stop the operation of the device. Malicious programs often “hide” in letters and messages with tempting offers from unknown persons and companies, in pages of news sites or other popular resources that contain vulnerabilities. Users visit these sites and malware invisibly infiltrates the computer.
Also, malware spreads via e-mail, removable media or files downloaded from the Internet. Files or links sent by email can expose your device to infection.
Malware includes viruses, worms, Trojans.
Virus- a kind of computer program, a distinctive feature of which is the ability to reproduce (self-replicate) and invisible for the user to be embedded in files, boot sectors of disks and documents. The name "virus" in relation to computer programs came from biology precisely because of its ability to reproduce itself. A virus lying in the form of an infected file on the disk is not dangerous until it is opened or launched. It takes effect only when the user activates it. Viruses are designed to copy themselves by infecting computers, usually destroying files.
Worms Is a type of virus. They fully live up to their name, since they spread by "crawling" from device to device. Just like viruses, they are self-replicating programs, but unlike viruses, the worm does not need the user's help in order to spread. He finds the loophole himself.
Trojans- Malicious programs that are purposefully introduced by cybercriminals to collect information, destroy or modify it, disrupt the performance of a computer or use its resources for unseemly purposes. Outwardly, Trojans look like legal software products and do not arouse suspicion. Unlike viruses, they are fully prepared to perform their functions. This is what the cybercriminals are counting on: their task is to create a program that users will not be afraid to launch and use.
Attackers can infect a computer to make it part of it botnet- networks of infected devices located around the world. Large botnets can include tens or hundreds of thousands of computers. Users often do not even know that their computers are infected with malware and are being used by hackers. Botnets are created by sending malicious programs in various ways, and then infected machines regularly receive commands from the botnet administrator, so that it becomes possible to organize coordinated actions of bot computers to attack other devices and resources.
DoS and DDoS attacks
DoS (denial of service) attack is an attack that paralyzes the operation of a server or a personal computer due to a huge number of requests arriving at a high speed on the attacked resource.
The essence of a DoS attack is that an attacker tries to temporarily make a specific server unavailable, overload the network, processor, or overflow a disk. The purpose of the attack is simply to disable the computer, not to obtain information, to seize all the resources of the victim computer so that other users do not have access to them. Resources include: memory, processor time, disk space, network resources, etc.
There are two ways to carry out a DoS attack.
In the first method a DoS attack exploits a vulnerability in the software installed on the attacked computer. The vulnerability allows you to trigger a certain critical error that will lead to a malfunction of the system.
With the second method The attack is carried out by simultaneously sending a large number of packets of information to the attacked computer, which causes network congestion.
If such an attack is carried out simultaneously from a large number of computers, then in this case they speak of a DDoS attack.
DDoS attack (distributed denial of service) Is a type of DoS attack that is organized using a very large number of computers, due to which servers, even with very high bandwidth Internet channels, can be exposed to the attack.
To organize DDoS attacks, cybercriminals use a botnet - a special network of computers infected with a special type of virus. An attacker can control each such computer remotely, without the knowledge of the owner. With the help of a virus or a program that cleverly masquerades as legal, malicious code is installed on the victim's computer, which is not recognized by the antivirus and runs in the background. At the right time, at the command of the botnet owner, such a program is activated and starts sending requests to the attacked server, as a result of which the communication channel between the attacked service and the Internet provider fills up and the server stops working.
Social engineering
Most attackers rely not only on technology, but also on human weaknesses, using social engineering... This complex term denotes a way to obtain the necessary information not with the help of technical capabilities, but through ordinary deception and cunning. Social engineers apply psychological techniques to people through email, social media, and instant messaging. As a result of their skillful work, users voluntarily give out their data, not always realizing that they have been deceived.
Fraudulent messages most often include threats, such as closing user bank accounts, promises of huge winnings with little or no effort, and requests for donations from charities. For example, a message from an attacker might look like this: “Your account has been blocked. To restore access to it, you need to confirm the following data: phone number, email and password. Send them to such and such an e-mail address. " Most often, attackers do not leave the user time for reflection, for example, they ask to pay on the day they receive the letter.
Phishing
Phishing is the most popular method of attacking users and one of the methods of social engineering. It is a special type of Internet scam. The purpose of phishing is to gain access to confidential data such as address, phone number, credit card numbers, logins and passwords by using fake web pages. A phishing attack often happens in the following way: a letter is sent to the e-mail with a request to enter the Internet banking system on behalf of an alleged bank employee. The letter contains a link to a false site, which is difficult to distinguish from the real one. The user enters personal data on a fake site, and the attacker intercepts them. Having taken possession of personal data, he can, for example, get a loan in the user's name, withdraw money from his account and pay with his credit cards, withdraw money from his accounts or create a copy of a plastic card and use it to withdraw money anywhere in the world.
Fake antivirus and security software.
Attackers often distribute malware under the guise of antivirus software. These programs generate notifications, which, as a rule, contain a warning that the computer is allegedly infected, and a recommendation to follow the specified link for successful treatment, download the update file from it and run it. Often, notifications are disguised as messages from legitimate sources, such as antivirus software companies. Sources of false antivirus distribution include email, online ads, social media, and even computer pop-ups that mimic system messages.
Spoofing the return address
It is well known that users are much more likely to trust messages they receive from acquaintances and are more likely to open them without expecting a trick. Attackers take advantage of this and forge a return address to a familiar user in order to trick him into a site containing malware or to extract personal information. For example, customers of Internet banks often become victims of their own gullibility.
How to Protect Against Internet Threats
There are many types and methods of attacks, but there are also a sufficient number of ways to defend against them. When using the Internet, we recommend that you meet the following requirements:
Use passwords
To create a strong password, you must use a combination of at least eight characters. It is desirable that the password includes upper and lower case characters, numbers, and special characters. The password must not repeat past passwords, and must contain dates, names, phone numbers, and similar information that can be easily guessed.
Work on your computer with a limited account
Before starting work in the operating system, it is recommended to create a user account for everyday work on the computer and use it instead of the administrator account. A user account allows you to perform the same actions as an administrator account, however, when you try to make changes to operating system settings or install new software, you will be prompted for an administrator password. This reduces the risk of accidentally deleting or changing important system settings, or infecting your computer with malware.
Use data encryption
Data encryption is an additional way to protect sensitive information from unauthorized users. Special cryptographic programs encrypt data so that only the user who has the decryption key could read it. Many operating systems have built-in encryption facilities. For example, Windows 7 uses BitLocker Drive Encryption to protect all files stored on the operating system drive and internal hard drives, and BitLocker To Go is used to protect files stored on external hard drives, USB devices.
Perform software updates regularly
Update your software regularly and in a timely manner, including your operating system and any applications you use. The most convenient way is to set the automatic update mode, which will allow all work to be carried out in the background. It is strongly recommended to download updates only from the websites of the software manufacturers.
Use and regularly update antivirus software
To protect the system from possible online threats. Antivirus is a key component of malware protection. It definitely needs to be installed and updated regularly to help it fight against new malware, the number of which is increasing every day. Modern anti-virus programs, as a rule, update the anti-virus databases automatically. They scan critical system areas and monitor all possible virus intrusions, such as email attachments and potentially dangerous websites, in the background without interfering with your user experience. Antivirus should always be enabled: it is strongly not recommended to disable it. Also try to check all removable media for viruses.
Use a firewall
A firewall, or firewall, is a special filter whose task is to control the network packets passing through it in accordance with the specified rules. A firewall works in the following way: it monitors the communication between the device and the Internet and checks all data received from the network or sent there. If necessary, it blocks network attacks and prevents the secret transmission of personal data to the Internet. The firewall prevents suspicious information from entering and does not release sensitive information from the system.
Avast always tries to be ahead when it comes to protecting users from new threats. More and more people are watching movies, sports broadcasts and TV shows on smart TV. They control the temperature in their homes with digital thermostats. They wear smartwatches and fitness bracelets. As a result, security needs expand beyond the personal computer to encompass all devices on the home network.
However, home routers, which are key devices in the home network infrastructure, often have security issues and provide easy access to hackers. A recent study by Tripwire found that 80 percent of the top-selling routers have vulnerabilities. Moreover, the most common combinations for accessing the administrative interface, in particular admin / admin or admin / without a password, are used in 50 percent of routers around the world. Another 25 percent of users use an address, date of birth, first or last name as passwords to the router. As a result, more than 75 percent of routers around the world are vulnerable to simple password attacks, which opens up the possibility of deploying threats on the home network. The security landscape of routers today is reminiscent of the 1990s, when new vulnerabilities were discovered every day.
Home Network Security Function
The Home Network Security feature in Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security, and Avast Premier Antivirus addresses these issues by scanning your router and home network settings for potential issues. In the Avast Nitro Update, the home network security detection engine has been completely redesigned with support for multi-threaded scanning and an improved DNS intrusion detector. The engine now supports ARP scans and port scans performed at the kernel driver level, which makes scanning several times faster than the previous version.
“Home Network Security” can automatically block attacks on a router with cross-site fake requests (CSRF). CSRF exploits exploit website vulnerabilities and allow cybercriminals to send unauthorized commands to a website. The command simulates an instruction from a user known to the site. Thus, cybercriminals can impersonate the user, for example, transfer money to the victim without her knowledge. Thanks to CSRF requests, criminals can remotely make changes to router settings in order to overwrite DNS settings and redirect traffic to fraudulent sites.
The Home Network Security component allows you to scan your home network and router settings for potential security issues. The tool detects weak or standard Wi-Fi passwords, vulnerable routers, compromised Internet connections, and enabled but not secure IPv6. Avast lists all devices on the home network so that users can check that only known devices are connected. The component provides simple recommendations for eliminating detected vulnerabilities.
The tool also notifies the user when new devices are connected to the network, networked TVs and other devices. Now the user can immediately detect the unknown device.
The new proactive approach emphasizes the overall concept of providing maximum comprehensive user protection.
