Troublesho

oting
Perspective
& Computer
Infestation
Class, do you
know what is
computer
infestation?
 Computer
infestation is an
unwanted program
transmitted to a
computer without
user’s knowledge.
It was designed to
damage data and
software (does not
physically damage
PC hardware)
 Three
categories
(viruses,
worms, Trojan
horses), each
differing in the
way they
spread, what
damage they
do, and how
Computer Infestation is like an
electronic diseases. It can affect
your computer and anything
attached to it.
PC SUPPORT TECHNICIAN
• PC support technicians are the "fix-it" people of the IT
world. Just as TV repairmen, auto mechanics, plumbers
and electricians are needed to maintain the health of
your home, PC support technicians are needed to
maintain your PC in good working order.
• Obviously, a good PC technician needs to be mechanically
inclined.
• Nevertheless, more than that, they need to be proficient
communicators.
• Diagnosing and repairing PC problems requires a
thorough understanding of the situation, which often
needs to be ascertained through conversations with end-
users
PC SUPPORT TECHNICIAN
• Depending on the users’ level of knowledge, the
response to the support technician's question of "What
is wrong with your PC?" can vary widely.
• Experienced users may say, "The network card is
intermittently disconnecting from the network".
• Less experienced users in the same situation may
respond, "I can't get to Yahoo to check my email".
• Novices may say, "My computer doesn't work."
• In the last case, the technician must use his
interpersonal skills to elicit enough information from
the user to give him a basis for formulating an opinion
about what is wrong with the PC
PC SUPPORT TECHNICIAN
HELP-DESK TECHNICIAN
• In days of yore (the early 1970's), there were no PCs.
• Computers were large mainframes sold by a handful
of major manufacturers.
• Back then, there weren't any help desks either.
• When there was a problem with the computer, the
manufacturer was called.
• The engineers who designed the computer had to
attempt to solve the problem.
• This took time away from their main task of
designing new computers as well as not earning
revenue for the computer manufacturer
HELP-DESK TECHNICIAN
• IBM, being a relatively perceptive organization hit upon
a wonderful idea.
• They encouraged customers to pre-screen calls to for
assistance internally before calling IBM for help.
• The incentive IBM offered was discounts on equipment.
• By calling a central point for help, IBM hoped that the
customer would minimize the number of calls for
technical support by solving repeat problems
internally.
• Thus the concept of the modern help desk was born
HELP-DESK TECHNICIAN
• Screening problems is very different from
solving them.
• Eventually, management realized that
moving help desks from a reactive role
(screening calls for help) to a proactive
role (solving problems) should save the
company money.
• Therefore, help desks evolved into the
problem solving entities that they are
today
HELP-DESK TECHNICIAN
HELP-DESK TECHNICIAN
PC SERVICE TECHNICIAN

• Goes to customer site in

response to a service call
BENCH TECHNICIAN
• Works in a lab environment. May/may not
interact with the PC user and not
permanently responsible for this PC.
• A bench technician is a person who
maintains, repairs, and fabricates
electronic components in a workshop
• In companies that manufacture
electronics, bench technicians are
responsible for fabricating prototype
models.
BENCH TECHNICIAN
• These models are used for testing, further
design refinements, and quality checks.
• Ultimately, they will be used to develop
plans used in mass production of these
components.
• Bench technicians performing this type of
work must think not only about how to
assemble components, but how to create
components for mass production, ideally
using existing equipment and technology
ANTIVIRUS SOFTWARE

 Designed to discover
and remove a virus
 Important defense
against computer
infestations
PERFORMANCE
• Some antivirus software can
considerably reduce performance.
• Users may disable the antivirus
protection to overcome the
performance loss, thus increasing
the risk of infection.
• For maximum protection, the
antivirus software needs to be
enabled all the time — often at
the cost of slower performance.
SECURITY
• Antivirus programs can in
themselves pose a security risk as
they often run at the 'System'
level of privileges and may hook
the kernel —
• Both of these are necessary for
the software to effectively do its
job, however exploitation of the
antivirus program itself could lead
to privilege escalation and create
a severe security threat.
SECURITY
• When purchasing antivirus software, the
agreement may include a clause that the
subscription will be automatically renewed, and
the purchaser's credit card automatically billed,
at the renewal time without explicit approval.
• For example, McAfee requires one to
unsubscribe at least 60 days before the
expiration of the present subscription.
• Norton Antivirus also renews subscriptions
automatically by default.
ROGUE SECURITY APPLICATIONS
• Some antivirus programs are
actually spyware masquerading as
antivirus software.
• It is best to double-check that the
antivirus software which is being
downloaded is actually a real
antivirus program.
FALSE POSITIVES
• If an antivirus program is
configured to immediately delete
or quarantine infected files (or
does this by default), false
positives in essential files can
render the operating system or
some applications unusable.
SYSTEM RELATED ISSUES
• Running multiple antivirus
programs concurrently can harm
performance and create conflicts.
• It is sometimes necessary to
temporarily disable virus protection
when installing major updates such
as Windows Service Packs or
updating graphics card drivers.
 What ‘s
wrong?

Huh, My whole
internal system
is damaged by
virus
 Do you
have a
backup?

Don’t think so.

But I have an
antivirus install
within the
system
 Don’t worry.
Just scan your
hard disk using
Antivirus

Is that so?
Thank you Mr
Officer!
UNDERSTANDING COMPUTER
INFESTATIONS
• Virus
 Most common computer
infestation
 Has an incubation period
 Is contagious (replicates itself
by attaching itself to other
programs)
 Is destructive

continued
UNDERSTANDING COMPUTER
INFESTATIONS
• The term "virus" is also commonly but erroneously used to refer to
other types of malware, including but not limited to adware and
spyware programs that do not have the reproductive ability.
• A true virus can spread from one computer to another (in some form
of executable code) when its host is taken to the target computer;
for instance because a user sent it over a network or the Internet, or
carried it on a removable medium such as a floppy disk, CD, DVD, or
USB drive
UNDERSTANDING COMPUTER
INFESTATIONS
• Trojan horse
 Does not need a host program to work
 Substitutes itself for a legitimate program
 Unable to replicate
TROJAN HORSE
• The Trojan Horse is a tale from the Trojan War, as told
in Virgil's Latin epic poem The Aeneid and by Quintus
of Smyrna. The events in this story from the Bronze
Age took place after Homer's Iliad, and before his
Odyssey. It was the stratagem that allowed the
Greeks finally to enter the city of Troy and end the
conflict.
• In one version, after a fruitless 10-year siege, the
Greeks constructed a huge wooden horse, and hid a
select force of 30 men inside.
• The Greeks pretended to sail away, and the Trojans
pulled the horse into their city as a victory trophy.
• That night the Greek force crept out of the horse and
opened the gates for the rest of the Greek army,
which had sailed back under cover of night. The Greek
army entered and destroyed the city of Troy,
decisively ending the war.
TROJAN HORSE PAYLOAD
TROJAN HORSE
• Since Trojan horses have a variety of
forms, there is no single method to
delete them.
• The simplest responses involve clearing
the temporary internet files file and
deleting it manually.
• Normally, antivirus software is able to
detect and remove the Trojan
automatically
UNDERSTANDING COMPUTER
INFESTATIONS
• Worm
 Overloads a network as it replicates itself
 Does not need a host program
• A computer worm is a self-replicating malware computer program,
which uses a computer network to send copies of itself to other
nodes (computers on the network) and it may do so without any
user intervention.
• This is due to security shortcomings on the target computer. Unlike
a virus, it does not need to attach itself to an existing program.
• Worms almost always cause at least some harm to the network,
even if only by consuming bandwidth, whereas viruses almost
always corrupt or modify files on a targeted computer
EXAMPLE OF WORM
• Christma Worm
 A student at a university in Germany created a worm in the REXX language.
He released his worm in December 1987 on a network of IBM mainframe
computers in Europe. The worm displayed an image of a conifer tree on the
user's monitor, while it searched two files on the user's account to collect e-
mail addresses, then automatically sent itself to all of those addresses
• Morris Worm
 On 2 November 1988, Robert Tappan Morris, then a first-year graduate
student in computer science at Cornell University, released his worm that
effectively shut down the Internet for several days.
 The Morris Worm succeeded in infecting approximately 3000 computers,
which was about 5% of the Internet at that time
 Morris was the first person to be arrested, tried, and convicted for writing and
releasing a malicious computer program. He was found guilty on 22 Jan 1990
and appealed, but the U.S. Court of Appeals upheld the trial court's decision
ILOVEYOU WORM
• The ILOVEYOU worm was first reported in Hong Kong on
4 May 2000 and spread westward on that day
• The ILOVEYOU worm arrived at the victim's computer in
the form of e-mail with the ILOVEYOU subject line and
an attachment. The e-mail itself was innocuous, but
when the user clicked on the attachment to read the
alleged love letter, LOVE-LETTER-FOR-YOU.TXT.VBS,
the attachment was a Visual Basic program that
performed a horrible sequence of bad things:
 deletion of files from victim's hard disk
 password theft
 worm propagates (send email)
 E
I D
H
U S
R
VI
R E
H E
W
WHERE VIRUSES HIDE
• Boot sector viruses
 Hide in a boot sector program
 Replace boot program with a modified, infected
version of boot command utilities, often causing
boot and data retrieval problems
• File viruses
 Hide in an executable (.exe or .com) program
 Can spread whenever the program is accessed

continued
WHERE VIRUSES HIDE
• Macro viruses
 Hide in a word-processing document that contains a macro
 Most common viruses spread by e-mail
• Multipartite viruses
 Combination of a boot sector virus and a file virus
 A multipartite virus is a computer virus that infects multiple
different targets.
 For a complete cleanup, all parts of the virus must be
removed.
 Because of the multiple vectors for the spread of infection,
these viruses could spread faster than a boot or file infector
alone
THE DAMAGE AN INFESTATION CAN
CAUSE
 Ranges from very minor to major
 Is called the payload
 Can be accomplished in a variety of ways
THE DAMAGE AN INFESTATION CAN
CAUSE
THE DAMAGE AN INFESTATION CAN
CAUSE
HOW INFESTATIONS SPREAD

continued
HOW INFESTATIONS SPREAD
HOW A VIRUS REPLICATES
VIRUS HOAXES
• A letter or e-mail warning about an nonexistent virus.
Overloads network traffic
• A computer virus hoax is a false email message warning the
recipient of a virus that is going around.
• The message usually serves as a chain e-mail that tells the
recipient to forward it to everyone they know.
• Most hoaxes are easily identified by the fact that they say
the virus will do nearly impossible things, like blow up the
recipient's computer and set it on fire.
• They often claim to be from reputable organizations such as
Microsoft and IBM, but include emotive language and
encouragement to forward the message which would not
come from an official source.
EXAMPLE OF VIRUS HOAX
PROTECTING AGAINST COMPUTER
INFESTATIONS
Regularly make backups
Use virus scan software
Use wisdom when managing programs
EXAMPLES OF VIRUS SYMPTOMS
• A program takes longer than normal to
load
• Less memory than usual is available
• Noticeable reduction in disk space
• Executable files have changed size
• Files constantly become corrupted
• Unusual error messages occur regularly
WHAT TO DO WHEN YOU SUSPECT A
VIRUS INFESTATION
• Run a virus scan program to detect
and delete the virus
• Use latest upgrade of your AV software
PROTECTING AGAINST VIRUSES
ANTIVIRUS SOFTWARE FEATURES TO
LOOK FOR
• Ability to download new software
upgrades from the Internet
• Ability to automatically execute at startup
• Ability to detect macros in a word-
processing document as it is loaded by
the word processor
• Ability to automatically monitor files being
downloaded from the Internet
USING ANTIVIRUS SOFTWARE
Can be configured to scan memory and
boot sector of hard drive for viruses each
time PC is booted
Consider scheduling AV software to run at
same time every day
Can be set to run continuously in the
background and scan all programs that are
executed
Can cause problems with other software,
especially during installations
MCAFEE VIRUS SCAN SOFTWARE
MCAFEE VIRUS SCAN SOFTWARE
PLANNING FOR DISASTER RECOVERY
• Prepare for a disaster before it occurs
• Know how to recover lost data
• Know when the backup was made and
what you must do to recover
information since the last backup
(recordkeeping)
• Verify that your recovery plan will work
by practicing it before a disaster occurs
SPYWARE
• Spyware is a type of malware that can be installed
on computers, and which collects small pieces of
information about users without their knowledge.
• The presence of spyware is typically hidden from
the user, and can be difficult to detect.
• Typically, spyware is secretly installed on the
user's personal computer.
• Sometimes, however, spywares such as
keyloggers are installed by the owner of a shared,
corporate, or public computer on purpose in order
to secretly monitor other users
SPYWARE & ADWARE
• The term adware frequently refers to any software
which displays advertisements, whether or not the
user has consented
• Most adware is spyware in a different sense than
"advertising-supported software": it displays
advertisements related to what it finds from spying
on users
• Unlike viruses and worms, spyware does not usually
self-replicate.
• Like many recent viruses, however, spyware—by
design—exploits infected computers for commercial
gain
COMMON SPYWARE IN DIGITAL AGE
EXAMPLES
• These common spyware programs illustrate the diversity of
behaviours found in these attacks. Note that as with computer
viruses, researchers give names to spyware programs which may
not be used by their creators:
 CoolWebSearch, a group of programs, takes advantage of Internet
Explorer vulnerabilities. The package directs traffic to advertisements
on Web sites including coolwebsearch.com. It displays pop-up ads,
rewrites search engine results, and alters the infected computer's
hosts file to direct DNS lookups to these sites
 HuntBar, aka WinTools or Adware.Websearch, was installed by an
ActiveX drive-by download at affiliate Web sites, or by advertisements
displayed by other spyware programs—an example of how spyware
can install more spyware. These programs add toolbars to IE, track
aggregate browsing behavior, redirect affiliate references, and display
advertisements
REMEDIES AND PREVENTION
• As the spyware threat has worsened, a number of
techniques have emerged to counteract it.
• These include programs designed to remove or to
block spyware, as well as various user practices which
reduce the chance of getting spyware on a system.
 Anti-spyware programs
 Security practices
 Many system operators install a web browser other than
IE, such as Opera, Google Chrome or Mozilla Firefox.
Though no browser is completely safe, Internet Explorer
is at a greater risk for spyware infection due to its large
user base as well as vulnerabilities such as ActiveX