Back to Threads
Computer viruses generally require a host program. The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage. By contrast, a computer worm does not need a host program, as it is an independent program or code chunk. Therefore, the host program does not restrict it but can run independently and actively carry out attacks.
Virus writers use social engineering deceptions and exploit detailed knowledge of security vulnerabilities to infect systems and spread the virus initially. Viruses use complex anti-detection/stealth strategies to evade antivirus software. Motives for creating viruses can include seeking profit (e.g., ransomware), desire to send a political message, personal amusement, to demonstrate that a vulnerability exists in software, sabotage, and denial of service, or simply because they wish to explore cybersecurity issues, artificial life, and evolutionary algorithms.
As of 2013, computer viruses caused billions of dollars worth of economic damage each year. In response, an antivirus software industry has cropped up, selling, or freely distributing virus protection to users of various operating systems.
The first academic work on the theory of self-replicating computer programs was done in 1949 by John von Neumann who gave lectures at the University of Illinois about the "Theory and Organization of Complicated Automata". The work of Von Neumann was later published as the "Theory of self-reproducing automata". In his essay, Von Neumann described how a computer program could be designed to reproduce itself. Von Neumann's design for a self-reproducing computer program is considered the world's first computer virus, and he is considered to be the theoretical "father" of computer virology.
In 1972, Veith Risak directly building on Von Neumann's work on self-replication, published his article, "Selbstreprodurizerende Automaten mit minimaler Informationsubertragung" (Self-reproducing automata with minimal information exchange). This article describes a fully functional virus written in assembler programming language for a SIEMENS 4004/35 computer system.
The creeper virus was first detected on ARPANET, the forerunner of the internet, in the early 1970s. Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971. Creeper used ARPANET to infect DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system, where the message, "I'M THE CREEPER. CATCH ME IF YOU CAN!" was displayed. The Reaper program was created to delete creeper.
In 1982, a program called "Elk Cloner" was the first personal computer virus to appear "in the wild" - that is, outside the single computer or computer lab where it was created. Written in 1981 by Richard Skrenta, a ninth grader at Mount Lebanon High School near Pittsburgh, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk. On its 50th use, the Elk Cloner virus would be activated, infecting the personal computer and displaying a short poem beginning "Elk Cloner: The program with a personality".
A computer virus generally contains three parts: the infection mechanism, which finds and infects new files, the payload, which is the malicious code to execute, and the trigger, which determines when to activate the payload.
Virus phases are the life cycle of the computer virus, described by using an analogy to biology. This life cycle can be divided into four phases:
Computer viruses infect a variety of different subsystems on their host computers and software. One manner of classifying viruses is to analyze whether they reside in binary executables (such as . EXE or . COM files), data files (such as Microsoft Word documents or PDF files), or in the boot sector of the host's hard drive (or some combination of all of these).
A memory-resident virus (or simply "resident virus") installs itself as part of the operating system when executed, after which it remains in RAM from the time the computer is booted up to when it is shut down. Resident viruses overwrite interrupt handling code or other functions, and when the operating system attempts to access the target file or disk sector, the virus code intercepts the request and redirects the control flow to the replication module, infecting the target. In contrast, a non-memory-resident virus (or "non-resident-virus"), when executed, scans the disk for targets, infects them, and then exists (i.e., it does not remain in the memory after it is done executing).
Many common applications such as Microsoft Outlook and Microsoft Word, allow macro programs to be embedded in documents or emails, so that the programs may be run automatically when the document is opened. A macro virus (or "document virus") is a virus that is written in a macro language and embedded into these documents so that when users open the file, the virus code is executed, and can infect the user's computer. This is one of the reasons that it is dangerous to open unexpected or suspicious attachments in emails. While not opening attachments in emails from unknown persons or organizations can help to reduce the likelihood of contracting a virus, in some cases, the virus is designed so that the email appears to be from a reputable organization (e.g., a major bank or credit card company).
Boot sector viruses specifically target the boot sector and/or the Master Boot Record (MBR) of the host's hard disk drive, solid-state drive, or removable storage media (flash drives, floppy disks, etc).
The most common way of transmission of computer viruses in the boot sector is physical media. When reading the VBR of the drive, the infected floppy disk or USB flash drive connected to the computer will transfer data, and then modify or replace the existing boot code. The next time a user tries to start the desktop, the virus will immediately load and run as part of the master boot record.
Email viruses are viruses that intentionally, rather than accidentally, use the email system to spread. While virus-infected files may be accidentally sent as email attachments, email viruses are aware of email system functions. They generally target a specific type of email system (Microsoft Outlook is the most commonly used), harvest email addresses from various sources, and may append copies of themselves to all email sent, or may generate email messages containing copies of themselves as attachments.
To avoid detection by users, some viruses employ different kinds of depiction. Some old viruses, especially on the DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. The approach does not fool antivirus software, however, especially those that maintain data cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example, the CIH virus, or Chernobyl virus, infects Portable Executable files, because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.
Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them (for example, Conficker). A virus may also hide its presence using a rootkit by not showing itself on the list of system processes or by disguising itself within a trusted process. In the 2010s, as computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access. In addition, only a small fraction of known viruses actually cause incidents, primarily because many viruses remain below the theoretical epidemic threshold.
While some kinds of antivirus software employ various techniques to counter stealth mechanisms, once the infection occurs any resource to "clean" the system is unreliable. In Microsoft Windows operating systems, the NTFS file system is proprietary. This leaves antivirus software little alternative but to send "read" requests to Windows files that handle such requests. Some viruses trick antivirus software by intercepting its requests to the operating system. A virus can hide by intercepting the request to read the infected file, handling the request itself, and returning an uninfected version of the file to the antivirus software. The interception can occur by code injection of the actual operating system files that would handle the read request. Thus, an antivirus software attempting to detect the virus will either not be permitted to read the infected file, or, the "read" request will be served with the uninfected version of the same file.
The only reliable method to avoid "stealth" viruses is to boot from a medium that is known to be "clear". Security software can then be used to check the dormant operating system files. Most security software relies on virus signatures or employs heuristics. Security software may also use a database of file "hashes" for Windows OS files, so the security software can identify altered files, and request Windows installation media to replace them with authentic versions. In older versions of Windows, cryptographic hash functions of Windows OS files stored in Windows - to allow file integrity/authenticity to be checked - could be overwritten so that the System File Checker would report that altered system files are authentic, so using file hashes to scan for altered files would not always guarantee finding an infection.
Most modern antivirus programs try to find virus patterns inside ordinary programs by scanning them for so-called virus signatures. Different antivirus programs will employ different search methods when identifying viruses. If a virus scanner finds such a pattern in a file, it will perform other checks to make sure that it has found the virus, and not merely a coincidental sequence in an innocent file, before it notifies the user that the file is infected. The user can then delete, or in some cases clean or heal the infected file. Some viruses employ techniques that make detection using signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
One method of evading signature detection is to use simple encryption to encipher (encode) the body of the virus, leaving only the encryption module and a static cryptographic key in cleartext which does not change from one infection to the next. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it would be symmetric keys, stored on the infected host, it is entirely possible to decrypt the final virus, but this is probably not required since self-modifying code is a rarity that finding some may be reason enough for virus scanners to at least "flag" the file as suspicious. An old but compact way will be the use of arithmetic operations like addition or subtraction and the use of logical conditions such as XORing, where each byte in a virus is with a constant so that the exclusive-or operation had only to be repeated for decryption. It is suspicious for a code to modify itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.
A simpler older approach did not use a key, where the encryption consisted only of operations with no parameters, like incrementing and decrementing, bitwise rotation, arithmetic negation, and logical NOT. Some viruses, called polymorphic viruses, will employ a means of encryption inside an executable in which the virus is encrypted under certain events, such as the virus scanner being disabled for updates or the computer being rebooted. This is called cryptovirology.
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses therefore are no parts that remain identical between infections, making it very difficult to detect directly using "signatures". Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called "mutating engine" or "mutation engine") somewhere in its encrypted body.
Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for antivirus professionals and investigators to obtain representative samples of the virus, because "bait" files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that utilize this technique are said to be in metamorphic code. To enable metamorphism, a "metamorphic engine" is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14,000 assembly language codes, 90% of which are part of a metamorphic engine.
Damage is due to causing system failure, corrupting data, wasting computer resources, increasing maintenance costs, or stealing personal information. Even though no antivirus software can uncover all computer viruses (especially new ones), computer security researchers are actively searching for new ways to enable antivirus solutions to detect emerging viruses, before they can become widely distributed.
A power virus is a computer program that executes specific machine code to reach the maximum CPU power dissipation (thermal energy output for the central processing units). Computer cooling apparatus are designed to dissipate power up to the thermal design power, rather than maximum power, and a power virus could cause the system to overheat if it does not have logic to stop the processor. This may cause permanent physical damage. Power viruses can be malicious, but are often suited to test software used for integration testing and thermal testing of computer components during the design phase of a product, or product benchmarking.
Stability test applications are similar programs that have the same effect as power viruses (high CPU usage) but stay under the user's control. They are used for testing CPUs, for example, when overclocking. Spinlock in a poorly written program may cause similar symptoms if it lasts sufficiently long.
Different micro-architectures typically require different machine codes to hit their maximum power. Examples of such machine code do not appear to be distributed in CPU reference materials.
No comments yet.
You must be logged in to leave a comment. Login here