Defining a computer virus.
As with all code, viruses use the host's resources: memory and hard disk space, amongst others, and are sometimes deliberate,- (erasing files / formatting hard disks) or allow others to access the machine without authorization across a network.
The term is often used in common parlance to describe all kinds of malware (malicious software), including those that are more classified as worms or trojans. most popular antiviral software packages defend against all of these types of attack.
A program called "Elk Cloner" is credited with being the first computer virus to appear 'in the wild"--that is, outside the lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread.
Since the mid- 1990s, viruses which infect operating systems or applications directly have been eclipsed by macro viruses, which spread through scripting languages for Microsoft programs such as Word and Outlook, these viruses spread in the Windows monoculture by documents and infected e-mail. Although Windows is the most popular operating system for virus writers, some viruses attack Unix-based OSes (and NTFS-aware applications on Windows NT based programs allow their users to run executables within their protected space in their own directories.
Nature of viruses
While viruses can be (and often are) malicious, destroying data, many are fairly benign or merely annoying. Many such viruses have a delayed payload, playing a message on a specific holiday, day of the month, or time of for a certain number of infections or reboots, or randomly occurring with a small chance.
The predominant destructive effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer memories. "Good" viruses have also appeared that spread improvements to the programs they infected, or delete other viruses, These are rare, still consume system resources, and may accidentally damage systems they infect.
Anatomy of viruses
Most viruses just consist of a finder and a replicator. The finder is responsible for finding new files to infect. For each new file the finder finds, it calls for the replicator to infect that file. The replicators task is to 1.0 open the new file 2.0 append the virus code to file, 3.0 save the executables starting point 4.0 change the executables starting point so that it points to the location where the new code starts 5.0 save the old start of execution point to the virus in a way so that the virus branches to that location 6.0 save the changes to the executable file, and 7.0 return to the finder so that it can find new files for the replicator to infect.
However, this only applies to quite simple viruses.
Some viruses also contain some sort of bomb that goes off when a certain condition is met. It might for example try to erase all files on the computer at a certain date, like on any Friday that happens to be at the end of the month. In addition, some viruses also encrypt their code before injecting it to new executables to avoid detection from antivirus-software which must, obviously, decrypt their code before running it In order to do that, such viruses have a decryption engine in the main body and an already encrypted encryption-engine somewhere in their replicator.
The decryption for viruses is fairly simple and mostly done by just xoring each byte with a randomized key. Most often, the encryption- and decryption-engines are the same, because xor works in both ways. (a xor b = c, c xor b = a)
However, while not being able to detect the actual virus code (because it is encrypted), antivirus-software can still detect the decryptor located in the front of the body of such viruses by comparing the byte pattern of the decryption-enginge. To avoid being deteced some viruses mutate their deception engines for each new copy of themselves. Such viruses are said to be polymorphic, and are hard to detect. To enable polymorphic code, the virus has to have a mutating engine somewhere in its encrypted body.
However, while not being able to detect the virus at all when it starts its execution, the anti virus-software can still detect it with analysis while it is executing. To avoid being detected in this way, some viruses rewrites themselves completely each time the new executables. Viruses that uses this technique is said to be metamorphic. To enable metamorphism, a metamorphic engine for a metamorphic virus is usually very large and complex. W32/Smile consisted of over 14000 lines of assembly code, for example as part of the metamorphic engine.
A virus requires several features from its host software to successfully duplicate itself. It must be permitted to execute code and memory. For this reason, many viruses attach themselves to useful programs, in the hope that users will run those programs (a virus).
Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early personal computers, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted from the disk.
As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were becoming popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSes. Many personal computers are now connected to the Internet and to local-area networks. Today's viruses take advantage of standard protocols such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms.
In order to stay alive, some well written viruses employ different kinds of obfuscation. Some old viruses (especially in MS-DOS include information attached to the files they infect, such as the 'last modified' date and the recorded filesize. Antivirus software that scan recently edited files or files that have changed in size will not notice the virus's presence in this case. Note that changing the information about the size of the file is not the same thing as actually changing the size of the file under MS-DOS. This approach does not confuse antivirus software.
Another hiding technique, a method DOS-era viruses commonly used to spread, is to infect the hard disk drive instead of the floppy. At bootstrap the computer runs the code located in the boot sector, which has been replaced by virus-code. The virus loads its disk into memory and makes itself memory resident, then loads the original bootsector into memory and transfers control that way, not even the operating system notices the presence of the virus.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Modern viruses often try to exploit the failings of modern antivirus software in trying to detect viral presence. Most modern progams try to find virus-patterns inside ordinary programs by scanning them. If they find a byte-pattem that corresponds to virus-pattern, the antivirus software tries to remove, contain, or delete the virus/file. The CIH virus, or Chernobyl Virus, infected Portable Executable files. Because those files had many empty gaps, the virus, around a kilobyte in length, did not add to the size of the file.
Modem state-of-the-art viruses try to encrypt themselves in order to avoid being detected by an antivirus search. This is often a combination of encryption and self-modifymg code. A virus that uses this technique is said to be polymorphic. There are usually two different parts of the virus when we speak of polymorphic virus: The crypto engine encrypts/decrypts the infector. Each time the virus runs it uses a different cryptokey. The crypto engine cannot because if it did, than would be no code to decrypt the engine next time the virus ran. Therefore, the crypto-engine has to use modifying code to modify itself differently each time it runs, without any part of the original algorithm getting lost. This presupposes a good knowledge of assembly language and the use of polymorphic code.
Viruses and popular software
Another analogy to biological viruses: just as the genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.
This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and users of Microsoft software (especially networking software such as Microsoft Outlook and Microsoft Internet Explorer) became vulnerable to the spread of viruses, especially since such complicated software inevitably includes many errors.
Integrated applications, applications with scripting languages with access to the file system (eg: Visual Basic Script, or VBS, with networking features) are also particularly vulnerable.
Viruses and software development
Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must employ bugs in a system or application to spread. Software development strategies which produce large numbers of bugs will generally encourage potential exploits. Closed-source software development as practiced by Microsoft and other proprietary software companies is also seen by some as a weakness. Open source software such as GNU/Linux kernel, for example, allows all users to look for and fix security problems on a single vendor. Some advocate that proprietary software makers practice vulnerability disclosure to ameliorate this weakness.
Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type; some antivirus vendors also make effective use of other types of heuristic analysis. Some industry groups do not like this practice because it often increases the positives the anti-virus software detects. They work by examining the contents of the computer memory (its RAM, and boot files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known viruses. Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. known as 'on-access scanning.' Anti-virus software does not change the underlying capability of host software to transmit viruses, they therefore update their software regularly to patch security holes. Anti-virus software also needs to be updated in order to gain information on the latest threats and hoaxes.
A well-patched and well-maintained Unix system is very well-secured against viruses. Windows has the same type of scripting based systems, but doesn't natively block normal users from executing such scripts written by a third-party as Unix does. More recently, Microsoft's Outlook (but not Outlook Express) e-mail client has developed similar features that Outlook may download as attachments. Ordinary users would do well to patch their operating system clients to prevent viruses and worms from reproducing through security 'holes' which prudence (and most virus scanners) are prevent.
|Printer friendly Cite/link Email Feedback|
|Date:||Sep 1, 2004|
|Previous Article:||Kaspersky labs presents the top twenty for June 2004.|
|Next Article:||Network security policy: best practices.|