Computer Virus


By

Pradhumn Kumar
Research Associate
ICFAI National College HQ
Hyderabad
 


Introduction to computer virus

In computer security terminology, a virus is a piece of program code that, like a biological virus, makes copies of itself and spreads by attaching itself to a host, often damaging the host in the process. The host is another computer program, often a computer operating system, which then infects the applications that are transferred to other computers. The plural of virus is viruses, not virii, which is sometimes used incorrectly, both knowingly and otherwise.

As with all code, viruses use the host's resources: memory and hard disk space, amongst others, and are sometimes deliberately destructive (erasing files / formatting hard disks) or allow others to access the machine without authorization across a network.

The term is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or trojans.

There are a few relatively "harmless" viruses that have been written to perform a simple task (such as flashing a single message onto the user's computer screen). A small percentage of viruses are the result of computer code that operates in an unexpected manner, but the majority of viruses are programs deliberately written to interfere with, or damage, other programs or computer systems.

History

The term "virus" was first used in this sense in print by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E. was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and John Brunner's 1975 novel The Shockwave Rider describes programs known as "tapeworms" which spread through a network for the purpose of deleting data. The term "computer virus" with current usage also appears in the comic book "Uncanny X-Men" No. 158, published in 1982. Therefore, we may conclude that although Cohen's use of "virus" may, perhaps, have been the first "academic" use, it had been in the common parlance long before that.

A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.

Since the mid-1990s, viruses which infect operating systems or applications directly have been eclipsed by macro viruses. Written in the scripting languages for Microsoft programs such as Word and Outlook, these viruses spread in the Windows monoculture by infecting documents and sending infected e-mail. Although Windows is the most popular operating system for virus writers, viruses numbering in the single digits have been seen on Mac OS X. Some viruses also exist on other Unix based OSes. It is important to note that any operating system that allows third-party programs to run can theoretically run viruses. However, some operating systems are less secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.

Nature of viruses

While viruses can be (and often are) malicious, destroying data, many are fairly benign or merely annoying (for example, displaying a message to the user). Many such viruses have a delayed payload, playing a message on a specific holiday, day of the month, or time of day; or waiting for a certain number of infections or reboots, or randomly occurring with a small chance.

The predominant destructive effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources.

"Good" viruses have also appeared that spread improvements to the programs they infected, or delete other viruses. These are, however, quite rare, still consume system resources, and may accidentally damage systems they infect.

Types of viruses

Boot viruses: These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo, and Stone virus

Program viruses: These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade

Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then starts infecting other program files on disk.
Examples: Invader, Flip, and Tequila

Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file's size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
Examples: Frodo, Joshi, Whale

Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101

Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.
Examples: DMV, Nuclear, Word Concept.

Active X:  ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control there web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into there machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts, things from the security angle seem a bit gloom.

These are just few broad categories. There are many more specialized types. But let us not go into that. We are here to learn to protect our self, not write a thesis on computer virus specification.  

Anatomy of viruses

Most viruses just consist of a finder and a replicator. The finder is responsible for finding new and yet uninfected files. For each new executable file the finder finds, it calls for the replicator to infect that file. The replicators task is to 1) open the new file 2) append the virus code to the executable file 3) save the executables starting point 4) change the executables starting point so that it points to the location where the newly copied virus code starts 5) save the old start of execution point to the virus in a way so that the virus branches to that location right after its execution. 6) save the changes to the executable file and 7) return to the finder so that it can find new files for the replicator to infect.

However, this only applies to quite simple viruses.

Most viruses also contain some sort of bomb that goes off when a certain condition is met. A bomb is mostly located at the beginning of the virus, and it might for example try to erase all files on the computer at a certain date, like on any Friday that happens to be at the 13th day in any month.

In addition, some viruses also encrypt their code before injecting it to new executables to avoid detection from antivirus-software. Such viruses must, obviously, decrypt their code before running it. In order to do that, such viruses have a decryption engine at the very beginning of their body and an already encrypted encryption-engine somewhere in their replicator.

Mostly, the decryption for viruses is fairly simple and done by xoring each byte with a randomized key that was saved by the parent virus. Most often, the encryption- and decryption-engines are the same, but used with different keys for the xoring. See xor for more information about that.

However, while not being able to detect the actual virus code (because it is encrypted), antivirus-software can still detect the decryption-engine located in the front of the body of such viruses by comparing the byte pattern of the decryption-engine. To avoid such detection, some state-of-the-art viruses mutate their decryption engines for each new copy of themselves. Such viruses are said to be polymorphic, and are much harder to detect. To enable polymorphic code, the virus has to have a mutating engine somewhere in its encrypted body.

Replication Strategies

A virus requires several features from its host software to successfully duplicate itself. It must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to useful programs, in the hope that users will run those programs (and therefore the virus).

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of personal computers, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.

As bulletin board systems and online software exchange became popular in the late 1980s and early 1990s, more viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBSes. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.

Many personal computers are now connected to the Internet and to local-area networks. Today's viruses take advantage of standard network protocols such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms.

Hiding Strategies

In order to stay alive, some well-written viruses employ different kinds of obfuscation. Some old viruses (especially in MS-DOS) alter the information attached to the files they infect, such as the "last modified" date and the recorded file size. Antivirus software that just searches for recently edited files or files that have changed in size will not notice the virus's presence in this case. Note that changing the information stored about the size of the file is not the same thing as actually changing the size of the file under MS-DOS. This approach does not fool modern antivirus software.

Another hiding technique, a method DOS-era viruses commonly used to spread, is to infect the hard disk drive instead of the files saved on it. At bootstrap the computer runs the code located in the boot sector, which has been replaced by virus-code. The virus loads itself from the hard disk into memory and makes itself memory resident, then loads the original bootsector into memory and transfers control to the code in it. This way, not even the operating system notices the presence of the virus.

As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. The stealth methods of modern viruses often try to exploit the failings of modern antivirus software in trying to detect viral presence. Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them. If they find a byte-pattern that corresponds to any specific virus-pattern, the antivirus software tries to remove, contain, or delete the virus/file.

The CIH virus, or Chernobyl Virus, infected Portable Executable files. Because those files had many empty gaps, the virus, which was 1 kilobyte in length, did not add to the size of the file.

Modern state-of-the-art viruses try to encrypt themselves in order to avoid being detected by an antivirus search. This is often done with a combination of encryption and self-modifying code. A virus that uses this technique is said to be polymorphic.

There are usually two different parts of the virus when we speak of polymorphic viruses: The encryption/decryption engine and the infector. The crypto engine encrypts/decrypts the infector. Each time the virus runs it uses a different cryptokey. The crypto engine cannot encrypt itself, because if it did, there would be no code to decrypt the engine next time the virus ran. Therefore, the crypto-engine has to use a form of self modifying code to modify itself differently each time it runs, without any part of the original algorithm getting lost. This is possible to do with a good knowledge of assembly language and the use of polymorphic code.

Countermeasures

Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or mounts the executable. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type; some antivirus vendors also claim the effective use of other types of heuristic analysis. Some industry groups do not like this practice because it often increases the number of false positives the anti-virus software detects. They work by examining the contents of the computers memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus signatures. Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must therefore update their software regularly to patch security holes. Anti-virus software also needs to be updated in order to gain knowledge about the latest threats and hoaxes.

Viruses and popular software

Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies which produce large numbers of bugs will generally also produce potential exploits.

Closed-source software development as practiced by Microsoft and other commercial software companies is also seen by some as a security weakness. Open source software such as Linux, for example, allows all users to find and fix security problems without relying on a single vendor. Some advocate that commercial software makers practice vulnerability disclosure to ameliorate this weakness.

Norton Antivirus software

Description: Symantec's Norton Antivirus 2006 removes viruses, worms, and Trojan horses automatically--without interrupting your work. It defends against malicious code attempting to spread via e-mail messages, instant message attachments, and other sources.

In this version, which requires Windows XP or 2000, new features include removing unwanted monitoring software such as spyware and keystroke loggers, and preventing spyware programs from hijacking your home page and redirecting your browser to other sites. (AntiVirus 2005 is included in this package for Windows Me and 98 users.)

The program continuously protects against new threats by automatically downloading updates and scanning for viruses. Twelve months of protection updates and new product features (as available) are included, with annual subscriptions available for subsequent renewal.

Panda Antivirus Titanium

Panda Antivirus Titanium Panda Antivirus Titanium is the first truly install-and-forget antivirus with the latest generation antivirus technology. Its innovative updating technology and ease-of-use make it the best choice

Anti-Trojan

Anti-Trojan Anti-Trojan is a fast and reliable trojan remover which detects and deletes trojan horses using a portscan, registry- and diskscan. This grants a very good detection rate of trojan horses.

McAfee

McAfee anti virus software for windows is called "virus scan" and for Macintosh is called "Virex". It scans your computer each time you start it and when you save files to the hardware.

Conclusion-

Through this whole research I come to this conclusion that computer virus is a program which is intentionally generated to destroy & corrupt the files and programs of computer systems. There are many types of computer viruses. The only counter measure to save the computer from virus is to install latest antivirus software.

Bibliography

1- The art of computer virus research and defense, by Peter Szon
2- www.antivirusworld.com
3- Boloji.com/computing/security
 


Pradhumn Kumar
Research Associate
ICFAI National College HQ
Hyderabad
 

Source: E-mail July 28, 2006

     

Back to Articles 1-99 / Back to Articles 100-199 / 200 onwards / Faculty Column Main Page

 

Important Note :
Site Best Viewed in Internet
Explorer in 1024x768 pixels
Browser text size: Medium