|
 | | |
| What
is a computer virus? | |
Computer virusFrom Wikipedia, the free encyclopedia.
In computer security terminology, a virus
is a piece of program code that, like a biological virus, makes copies of itself
and spreads by attaching itself to a host, often damaging the host in the process.
The host is another computer program, often a computer operating system, which
then infects the applications that are transferred to other computers. The plural
of virus is viruses, not virii, which is sometimes used incorrectly, both knowingly
and otherwise. See plural of virus.
As
with all code, viruses use the host's resources: memory and hard disk space, amongst
others, and are sometimes deliberately destructive (erasing files / formatting
hard disks) or allow others to access the machine without authorization across
a network.
The term is often used in common
parlance to describe all kinds of malware (malicious software), including those
that are more properly classified as worms or trojans. Most popular anti-viral
software packages defend against all of these types of attack.
There
are a few relatively "harmless" viruses that have been written to perform a simple
task (such as flashing a single message onto the user's computer screen). A small
percentage of viruses are the result of computer code that operates in an unexpected
manner, but the majority of viruses are programs deliberately written to interfere
with, or damage, other programs or computer systems.
The
term "virus" was first used in this sense in print by Fred Cohen in his 1984 paper
Experiments with Computer Viruses, where he credits Len Adleman with coining it.
However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E.
was One, includes a description of a fictional computer program called "VIRUS"
that worked just like a virus (and was countered by a program called "ANTIBODY");
and John Brunner's 1975 novel The Shockwave Rider describes programs known as
"tapeworms" which spread through a network for the purpose of deleting data. The
term "computer virus" with current usage also appears in the comic book "Uncanny
X-Men" No. 158, published in 1982. Therefore, we may conclude that although Cohen's
use of "virus" may, perhaps, have been the first "academic" use, it had been in
the common parlance long before that.
A
program called "Elk Cloner" is credited with being the first computer virus to
appear "in the wild" -- that is, outside the single computer or lab where it was
created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS
3.3 operating system and spread by floppy disk.
Since
the mid-1990s, viruses which infect operating systems or applications directly
have been eclipsed by macro viruses. Written in the scripting languages for Microsoft
programs such as Word and Outlook, these viruses spread in the Windows monoculture
by infecting documents and sending infected e-mail. Although Windows is the most
popular operating system for virus writers, viruses numbering in the single digits
have been seen on Mac OS X. Some viruses also exist on other Unix based OSes.
It is important to note that any operating system that allows third-party programs
to run can theoretically run viruses. However, some operating systems are less
secure than others. Unix-based OSes (and NTFS-aware applications on Windows NT
based platforms) only allow their users to run executables within their protected
space in their own directories. Nature of virusesWhile viruses can be
(and often are) malicious, destroying data, many are fairly benign or merely annoying
(for example, displaying a message to the user). Many such viruses have a delayed
payload, playing a message on a specific holiday, day of the month, or time of
day; or waiting for a certain number of infections or reboots, or randomly occurring
with a small chance.
The predominant destructive effect of viruses is
their uncontrolled self-reproduction, which wastes or overwhelms computer resources.
"Good" viruses have also appeared that spread improvements to the programs
they infected, or delete other viruses. These are, however, quite rare, still
consume system resources, and may accidentally damage systems they infect. Anatomy
of virusesMost viruses just consist of a finder and a replicator. The finder
is responsible for finding new and yet uninfected files. For each new executable
file the finder finds, it calls for the replicator to infect that file. The replicators
task is to 1) open the new file 2) append the virus code to the executable file
3) save the executables starting point 4) change the executables starting point
so that it points to the location where the newly copied virus code starts 5)
save the old start of execution point to the virus in a way so that the virus
branches to that location right after its execution. 6) save the changes to the
executable file and 7) return to the finder so that it can find new files for
the replicator to infect.
However, this only applies to quite simple
viruses.
Most viruses also contain some sort of bomb that goes off when
a certain condition is met. A bomb is mostly located at the beginning of the virus,
and it might for example try to erase all files on the computer at a certain date,
like on any friday that happens to be at the 13th day in any month.
In
addition, some viruses also encrypt their code before injecting it to new executables
to avoid detection from antivirus-software. Such viruses must, obviously, decrypt
their code before running it. In order to do that, such viruses have a decryption
engine at the very beginning of their body and an already encrypted encryption-engine
somewhere in their replicator.
Mostly, the decryption for viruses is
fairly simple and done by xoring each byte with a randomized key that was saved
by the parent virus. Most often, the encryption- and decryption-engines are the
same, but used with different keys for the xoring. See xor for more information
about that.
However, while not being able to detect the actual virus
code (because it is encrypted), antivirus-software can still detect the decryption-engine
located in the front of the body of such viruses by comparing the byte pattern
of the decryption-enginge. To avoid such detection, some state-of-the-art viruses
mutate their decryption engines for each new copy of themselves. Such viruses
are said to be polymorphic, and are much harder to detect. To enable polymorphic
code, the virus has to have a mutating engine somewhere in its encrypted body.
Replication StrategiesA virus requires several features
from its host software to successfully duplicate itself. It must be permitted
to execute code and write to memory. For this reason, many viruses attach themselves
to useful programs, in the hope that users will run those programs (and therefore
the virus).
Before computer networks became widespread, most viruses
spread on removable media, particularly floppy disks. In the early days of personal
computers, many users regularly exchanged information and programs on floppies.
Some viruses spread by infecting programs stored on these disks, while others
installed themselves into the disk boot sector, ensuring that they would be run
when the user booted the computer from the disk.
As bulletin board systems
and online software exchange became popular in the late 1980s and early 1990s,
more viruses were written to infect popularly traded software. Shareware and bootleg
software were equally common vectors for viruses on BBSes. Within the "pirate
scene" of hobbyists trading illicit copies of commercial software, traders in
a hurry to obtain the latest applications and games were easy targets for viruses.
Many personal computers are now connected to the Internet and to local-area
networks. Today's viruses take advantage of standard network protocols such as
the World Wide Web, e-mail, and file sharing systems to spread, blurring the line
between viruses and worms. Hiding StrategiesIn order to stay alive, some
well written viruses employ different kinds of obfuscation. Some old viruses (especially
in MS-DOS) alter the information attached to the files they infect, such as the
"last modified" date and the recorded filesize. Antivirus software that just searches
for recently edited files or files that have changed in size will not notice the
virus's presence in this case. Note that changing the information stored about
the size of the file is not the same thing as actually changing the size of the
file under MS-DOS. This approach does not fool modern antivirus software.
Another hiding technique, a method DOS-era viruses commonly used to spread, is
to infect the hard disk drive instead of the files saved on it. At bootstrap the
computer runs the code located in the boot sector, which has been replaced by
virus-code. The virus loads itself from the hard disk into memory and makes itself
memory resident, then loads the original bootsector into memory and transfers
control to the code in it. This way, not even the operating system notices the
presence of the virus.
As computers and operating systems grow larger
and more complex, old hiding techniques need to be updated or replaced. The stealth
methods of modern viruses often try to exploit the failings of modern antivirus
software in trying to detect viral presence. Most modern antivirus programs try
to find virus-patterns inside ordinary programs by scanning them. If they find
a byte-pattern that corresponds to any specific virus-pattern, the antivirus software
tries to remove, contain, or delete the virus/file.
The CIH virus, or
Chernobyl Virus, infected Portable Executable files. Because those files had many
empty gaps, the virus, which was 1 kilobyte in length, did not add to the size
of the file.
Modern state-of-the-art viruses try to encrypt themselves
in order to avoid being detected by an antivirus search. This is often done with
a combination of encryption and self-modifying code. A virus that uses this technique
is said to be polymorphic.
There are usually two different parts of the
virus when we speak of polymorphic viruses: The encryption/decryption engine and
the infector. The crypto engine encrypts/decrypts the infector. Each time the
virus runs it uses a different cryptokey. The crypto engine cannot encrypt itself,
because if it did, there would be no code to decrypt the engine next time the
virus ran. Therefore, the crypto-engine has to use a form of self modifying code
to modify itself differently each time it runs, without any part of the original
algorithm getting lost. This is possible to do with a good knowledge of assembly
language and the use of polymorphic code. Viruses and popular softwareAnother
analogy to biological viruses is worth noting: just as genetic diversity in a
population decreases the chance of a single disease wiping out a population, the
diversity of software systems on a network similarly limits the destructive potential
of viruses.
This became a particular concern in the 1990s, when Microsoft
gained market dominance in desktop operating systems and office software. Users
of Microsoft software (especially networking software such as Microsoft Outlook
and Microsoft Internet Explorer) are particularly vulnerable to the spread of
viruses.
Integrated applications, applications with scripting languages
with access to the file system (eg: Visual Basic Script, or VBS, and applications
with networking features) are also particularly vulnerable. Viruses and software
developmentBecause software is often designed with security features to prevent
unauthorized use of system resources, many viruses must exploit software bugs
in a system or application to spread. Software development strategies which produce
large numbers of bugs will generally also produce potential exploits.
Closed-source software development as practiced by Microsoft and other commercial
software companies is also seen by some as a security weakness. Open source software
such as Linux, for example, allows all users to find and fix security problems
without relying on a single vendor. Some advocate that commercial software makers
practice vulnerability disclosure to ameliorate this weakness. CountermeasuresMany
users install anti-virus software that can detect and eliminate known viruses
after the computer downloads or mounts the executable. Some virus scanners can
also warn a user if a file is likely to contain a virus based on the file type;
some antivirus vendors also claim the effective use of other types of heuristic
analysis. Some industry groups do not like this practice because it often increases
the number of false positives the anti-virus software detects. They work by examining
the contents of the computers memory (its RAM, and boot sector) and the files
stored on fixed or removable drives (hard drives, floppy drives), and comparing
those files against a database of known virus signatures. Some anti-virus programs
are able to scan opened files in addition to sent and received emails 'on the
fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus
software does not change the underlying capability of host software to transmit
viruses. Users must therefore update their software regularly to patch security
holes. Anti-virus software also needs to be updated in order to gain knowledge
about the latest threats and hoaxes.
A well-patched and well-maintained
Unix system is very well-secured against viruses. Windows has the same type of
scripting ability as Unix-based systems, but doesn't natively block normal users
from executing such scripts written by a third-party as Unix does for users who
are not running as root. More recently, Microsoft's Outlook (but not Outlook Express)
e-mail client has developed similar features when dealing with executable file
types that Outlook may download as attachments. Ordinary users would do well to
patch their operating systems and e-mail clients to prevent viruses and worms
from reproducing through security "holes" which prudence (and most virus scanners)
are unable to prevent. | |
|
|
|
BluePink 