6.6 Countermeasures
6.6.1 Introduction
There are a number of ways that you can detect, remove and prevent malware. Some of
these are common sense, others are technological alternatives. The following section
highlights some of these, with a brief explanation and examples.
6.6.2 Anti-Virus
Anti-Virus-software is available in many commercial and Open Source versions. These all work
following the same method. They each have a database of known viruses and they will
match the signatures of these against the files on the system to see if there are any infections.
Often though, with modern viruses, these signatures are very small, and there can often be
false positives - things that appear to be viruses that are not. Some virus scanners employ a
technique known as heuristics, which means that they have a concept of what a virus “looks
like” and can determine if an unknown application matches these criteria. Recently AntiVirus
software has also crossed the boundary into Host Based Intrusion Detection, by keeping a list
of files and checksums in order to increase the speed of scanning.
6.6 防范措施
6.6.1 简介
有很多种检测,删除和阻止恶意软件的方法。有些是常识,另一些是技术性的。这一部分将解释其中一些方法,并给出解释和例子。
6.6.2 防病毒
防病毒软件可以在市场上买到,也可以免费下载到。这些软件都以一个原理。他们都有一个识别病毒库,这些软件将系统文件和识别病毒库中的病毒特征相匹配,以此来检测该文件是否感染到病毒。但对于现在的病毒来说,这些特征都非常小。而且这些匹配检测的防病毒软件通常有很不好的效果-会误将一些没有感染的文件检测呈病毒文件。一些病毒扫描器使用了一种叫启发式的技术,这种技术包含一个判断一个未知软件是否是病毒的判断标准。最近,反病毒软件已经进入基于主机的入侵检测方面,通过保存文件和校验码来提高扫描速度。
6.6.3 NIDS
Network intrusion detection is similar to AntiVirus software. It looks for a particular signature or
behavior from a worm or virus. It can then either alert the user, or automatically stop the
network traffic carrying the malware.
6.6.4 HIDS
Host based Intrusion Detection systems, such as Tripwire, are capable of detecting changes
made to files. It is reasonable to expect that an application, once it is compiled, should not
need to change, so watching various aspects of it, such as its size, last modification date and
checksum, make it instantly obvious that something is wrong.
6.6.5 Firewalls
Worms propagate across the network by connecting to vulnerable services on each host.
Apart from ensuring that none of these vulnerable services are running, the next best thing is
to ensure that your firewall does not allow connections to these services. Many modern
firewalls will provide some form of packet filtering similar to a NIDS which will rule out packets
matching a certain signature. (Firewalls are discussed in more detail in section 7.1.2).
6.6.3 网络入侵侦测系统
网络入侵侦测系统和防病毒软件很类似。它也是查找蠕虫或者病毒的特征来检测。处理结果要不警告用户或者自动拦截带有恶意软件的网络传输。
6.6.4 主机入侵侦测系统
主机入侵侦测系统,像Tripwire,能够检测出对文件作出的改变。一般来说,一个应用程序一旦编译成功就不需要改变了,所以,关注这个程序的各个方面,例如大小,上次修改日期和校验码来判断是不是有破坏程序。
6.6.5 防火墙
蠕虫通过连接每个主机上防范能力弱的服务器在网络中传播。除了检测任何这种服务器都在运行之外,最好的方式便是确保你的防火墙组织这些连接。许多现代的防火墙和NIDS一样提供数据包过滤,这种方式将那些带有明显特征的数据包过滤掉。(7.1.2将会更详细的介绍防火墙)。
6.6.6 Sandboxes
The concept of a sandbox is simple. Your application has its own little world to play in and
can't do anything to the rest of your computer. This is implemented as standard in the Java
programming language, and can also be implemented through other utilities such as chroot
in Linux. This restricts the damage that any malware can do to the host operating system by
simply denying it the access required. Another option is to run a full machine inside a machine
using a virtual machine product such as VMWare. This isolates the virtual machine from the
host operating system, only allowing access as defined by the user.
Example – http://www.vmware.com – VMWare virtual machines
6.6.6 沙盒
沙盒的概念很简单。你的应用程序都有其负责的特定部分,不能做超出其范围的事。这在Java编程语言中作为一个标准实施了,同时也是其它实用程序的标准,像Linux系统上改变根目录程序。这能限制那些恶意软件跳过权限检测破坏操作系统。另一个方法是在一个机子上运行一个机子,使用虚拟机产品像VMWare。这种做法将虚拟机和主机操作系统分开了,只允许由用户定义的用户使用。
例子- http://www.vmware.com-VMWare虚拟机。
1. Matching Game: Research each of the following and match it to the type of
countermeasure that it is:
配对游戏:搜索下列网站,将这些网站和这些网站介绍的防范措施连起来。
1. http://www.vmware.com NIDS
2. http://www.tripwire.org Antivirus
3. http://www.snort.org Firewalls
4. http://www.checkpoint.com Sandboxes
5. h ttp://www.sophos.com HIDS
2. Research Spybot Search and Destroy and determine what type of malware it protects your
computer again.
2、搜索间谍软件毁灭者,找出它是防范那种恶意软件的。
3. Research how NIDs and HIDS works.
查找资料弄清NIDs和HIDs是怎么工作的。
4. Research Firewall solutions on the net.
在网上查找防火墙应对措施的相关内容。
5. Look up “chroot” on the internet. Read about this type of “jail” or “sandbox”.
在网上查找“chroot”,阅读关于“jail”和“sandbox”的资料。
6.7 Good Safety Advice
There are a number of simple things that you can do in order to minimize your risk to Malware.
• Only download from reputable sources ( that means no W4R3Z, please. )
• Don't open e-mail attachments from people you don't know.
• Don't leave macros enabled by default in your applications.
• Keep your OS and applications up to date with patches.
• If downloading and installing software with a checksum – check the checksum.
6.7 一些好的安全建议
为了减少感染流氓软件的隐患,这里有一些你可以做的事。
1、下载可信赖资源
2、不要打开你不认识人的邮件
3、不要让微软在你的应用软件上处于缺省状态(不太懂)
4、经常给你的操作系统和应用程序更新或打补丁。
5、如果需要用验证码来安装或者下载软件,先检查这个验证码。
Further Reading 深入阅读
AV Vendor Sites - (卖防病毒软件的网站)
http://www.sophos.com
http://www.symantec.com
http://www.fsecure.com
All of these sites have databases listing details of trojans, viruses and
other malware. There are also detailed descriptions of the functioning
of the above.
下面这些网站都有关于木马,病毒和其他恶意软件的数据库。也有关于这些软件的详细描述。
http://www.cess.org/adware.htm
http://www.microsoft.com/technet/security/topics/virus/malware.mspx
http://www.zeltser.com/sans/gcih-practical/revmalw.html
http://www.securityfocus.com/infocus/1666
http://www.spywareguide.com/
http://www.brettglass.com/spam/paper.html
http://www.lavasoft.nu/ - AdAware Cleaning Software (Freeware Version)
http://www.claymania.com/removal-tools-vendors.html
http://www.io.com/~cwagner/spyware.html
http://www.bo2k.com/
http://www.sans.org/rr/catindex.php?cat_id=36
928
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
