COMPUTER ATTACKS: VIRUSES
Discussion: It is important for everyone to better understand computer viruses since they have become a real part of our computational life. Viruses are not fully autonomous but are programs written by people. These people often have a point to make, want to test their diabolical skills, make a mark in the world, or have malicious intent against an entity or state. Like biological viruses, computer viruses require a “host” to infect. Once a virus program is executed, it is able to do its “dirty work” to the local system, network, and peripheral devices or create vulnerabilities to be exploited later. It is necessary to take precautions in order to ensure the integrity of the system. Technological staff should become intimate with virus technology and methodologies in order to understand vulnerabilities and damage that these nuisance programs cause.
DEFINITIONS:
Cross-Scripting: A technique used by attackers to insert malicious code into a web page in place of mobile code or an application module known as an applet. This is a delivery mechanism that is capable of delivering and executing a virus program as the web page posts. Defense against this kind of assault is difficult. The end user may observe a blanked out area on the page where the applet or image should have occurred. Current virus checkers have heuristical algorithms monitoring for the behavior of cross-scripted programs running which aides in the identification of newer viruses.
Logic, Time Bombs, and Easter Eggs: This is a focused virus that is designed to trigger when a specific event occurs or in a specified amount of time. The result of this type of virus is almost always catastrophic. These viruses are often scripted in login scripts, batch files, or buried in code placed by an individual on a target system. These are mostly the result of disgruntled employees. For example, computer coders have been known to place Easter eggs, malicious routines placed deep inside code, in order to assure job security. Should they be fired or their user account deleted the routine executes wiping drives, shutting the system down, or begins some other form of hostile action such as emailing sensitive information to the competitors. Currently, every version of Microsoft Word has an Easter Egg embedded. Placing the text=rand()in a word document and then pressing the enter key will cause three paragraphs to appear in the document. Microsoft has officially commented that this is not an Easter Egg but the process of evoking one can be demonstrated.
Malicious Logic: This is hardware, software, or firmware intentionally included, installed, or delivered to an information system or network for unauthorized purposes.
Polymorphic Virus: This describes a virus that infects each object differently in an attempt to fool virus scanners. These types of viruses can not be detected with a simple pattern match as is possible with most viruses. These viruses imposture as a legitimate program such as format.com. The process to imposture another legitimate program can be pre-pended, embedded, or appended to a legitimate file.
Resident Virus: The virus is usually broken into multiple pieces such as main code and a small launcher application. This type of virus attaches itself to the operating system where it hides a small launcher application and loads on boot into memory. These viruses attempt to hide their main code between tracks or beyond the writeable area. In doing so, the code can survive either a low level or high level format of the drive. Low level formats re-establish the cylinders, tracks, and sector locations. High level formats zero out the file allocation tables and rewrite the addresses. The launcher may be polymorphic also infecting a legitimate program like format.com. So when someone formats the drive to eliminate the virus it preserves the main code and loads the small launcher again.
Robots (BOTS): These are rogue programs that, when placed on the networks or Internet, explore the system by simulating human activity and then communicates its findings to a host. These programs often migrate or travel through the networks gaining access along the way to servers, routers, gateways, and workstations. These programs are most often used to gather intelligence data, aggregate information, or map pathways as spiders. On the Internet, the most universal BOTS are the programs that access web sites to gather content for search engines. Often these BOTS are called crawlers, aggregators, and spiders. Each has a different purpose.
Trojan Horse: A program that has embedded virus code designed to trigger by an event or date and time. These programs appear to have benefit to the user but instead have intelligence gathering capabilities, create back doors, or are designed to cause damage to information stored on the system. The difference between a Trojan Horse and a logic, time bomb, or Easter Egg is the end users involvement. End users innocuously use a Trojan Horse thinking it is a legitimate application. The end user has no awareness or tactile contact with a logic, time bomb, or Easter Egg.
Virus: Any program for the purpose of mal-intent when executed causes damage in some form and reproduces its own code or attaches to another program t that end.
Worms: An independent self-reproducing virus program that is distinguished from other virus forms. They are not attached to another program file but are able to propagate over a network and increase their activity by gaining access to email contact list or access to routing tables.
LESSON:
Computer viruses may seem mysterious, but they are easy to understand. Viruses are nothing more than destructive software that spreads from program to program or disk to disk. If you have a virus, you are no longer in control of your personal computer (PC). When you boot your PC or execute a program, the virus may also be executing and spreading its infection. Even though some viruses are not as malicious as others are, they are all disastrous in their own ways.
Characteristics of Viruses
There are different ways to categorize viruses depending on their characteristics. They can be slow, fast, sparse, companion, or overwriting.
Slow viruses - Viruses that take longer to detect because they spread very slowly and often do not cause havoc until they have sufficient numbers proliferated. They often bury themselves in network noise and attempt to disguise any pattern of their activity from any intrusion detection systems or virus detection systems.
Fast viruses - Viruses that spread rapidly by aggressively infecting everything that they can access. When active in memory, it infects not only the programs that are executed, but also the programs that are opened.
Sparse viruses - Viruses that infect files occasionally. It will infect files whose length falls within a certain range in order to prevent detection.
Companion viruses - Viruses that create a new program. Companion viruses uses the fact that files have the same filename, but with different extensions, and switches these files. You will notice that there is a problem when you normal run an .EXE file and you end up running a .COM file.
Overwriting viruses - Viruses that overwrite each file it infects with itself and the original program will no longer function. These files are consider to be impostures.
Existence of Viruses
The question on everyone’s mind when there is a discussion on computer viruses is: How do I know when I have a virus? Viruses have different characteristics, but there are little changes that you can look for and these changes will let you know that you have a virus. Some viruses display messages, music or pictures. The main indicators are the changes in size and content of your programs. Once you realize that you have a computer virus, you must stop it.Viruses are written to deliberately invade a victim’s computer, which makes them the most difficult to guard.
Virus Behavior
Computer viruses are known to be in different forms, but they all have two phases to their execution: the infection and the attack phases.
a. Infection phase-When a user executes a program with a virus, the virus infects other programs. Some infect programs each time they’re executed and others infect upon a certain trigger such as a day or time. If the virus infects too soon, they can be discovered before they do their “dirty work”. Virus writers want their programs to spread as far as possible before detection or they begin to achieve their objective at which time they will be known.
Many viruses go resident in memory just as a terminate and stay resident (TSR) program. This means that the virus can wait an extended period of time for something as simple as inserting a floppy before it actually infects a program. TSR programs are very dangerous since it’s hard to guess what trigger condition they use for their infection. Resident viruses occupy memory space and can cause the infamous Blue Screen of Death in MicroSoft operating systems.
b. Attack phase-Many viruses do unpleasant things such as deleting files, simulating typing, warble video screens, or slowing down your PC. Others do less harmful things such as creating messages or animation on your screen. Just as the infection phase can be triggered, the attack phase also has its own trigger. Most viruses delay revealing their presence by launching their attack after they’ve had time to spread. This could be delayed for days, weeks, or even years.
The attack phase is optional. Anything that writes itself to your disk without permission is stealing storage space. Many viruses simply reproduce without a trigger for an attack phase. These types of viruses damage the programs or disks they infect. This is not intentional on the part of the virus, but simply because the virus often contains very poor coding.
Classes of Viruses
There are four main classes of viruses: File Infectors, System or Boot Sector infectors, Macro viruses, and Stealth viruses.
File Infectors- Out of all of the known viruses, these are the most common types. File infectors attach themselves to files that they know how to infect, usually .COM and .EXE, and overwrite part of the program. When the program is executed, the virus is executed and infects more files. Overwriting viruses do not tend to be very successful since the program rarely continues to function properly. When this happens, the virus is almost immediately discovered. The more sophisticated file viruses modify the programs so that the original instructions are saved and executed after the virus finishes. File infectors can also remain resident in memory and use “stealth” techniques to hide their presence.
System or Boot Sector Infectors- These types of viruses plant themselves in your system sectors. System sectors are special areas on your disk containing programs that are executed when you boot your PC. These sectors are invisible to normal programs but are vital in the operation of your PC. There are two types of system sectors found on DOS PCs: DOS boot sectors and partition sectors (also known as Master Boot Records or MBRs).
System sector viruses, commonly known as boot sector viruses, modify the program in either the DOS boot sector or partition sector. One example of this virus would be to receive a floppy from a trusted source that contains the boot disk virus. When your operating system is running, files on the floppy can be read without triggering the virus. Once you leave the floppy in the drive, and turn the computer off, the computer will look in your floppy drive first. It will find your floppy with its boot disk virus, load it, and make it temporarily impossible to use your hard drive.
Macro Viruses- This particular virus seems to be the most misunderstood. This virus can also be classified as a file virus because they are from Microsoft Office applications. These applications have their own macro languages built in. These viruses execute because Microsoft has defined special macros that automatically execute. The mere act of opening an infected Word document or infected Excel spreadsheet can allow the virus to be executed. Macro viruses have been successful because most people regard documents as data and not as programs.
Stealth Viruses- These viruses attempt to hide their presence. Some techniques include hiding the change in date and time and the increase in file size. Others can prevent anti-virus software from reading the part of the file where the virus is loaded. They can also encrypt the virus code using variable encryption techniques.
WideSpread Myths
Viruses are often misunderstood. They can only infect your computer if you execute an infected file or boot from an infected floppy disk. Here are a few other common myths being spread regarding viruses.
You can get a virus from data. Data is not an executable program, so this is a myth. If someone sends you a data file that contained a virus, you would have to rename the file to execute it and become infected. In essence, the virus must be executable in order to be hostile. Data is inert and simply consumes space.
Viruses can infect your CMOS memory. CMOS stands for Complimentary Metal Oxide Semiconductor. It is functionally different than the dynamic TTL (Transistor Transistor Logic) RAM used for executing programs. The CMOS memory is very small and is not designed for executable routines. CMOS contains system configuration, time and date information. Viruses can damage your CMOS, but the CMOS will not get infected. If your CMOS memory is corrupted, you may not be able to access your disks or boot your PC.
You can write-protect your hard drive. There are some programs that claim to write-protect your hard drive. This will only be done by software. Write protecting will stop some viruses and will protect your disk from someone inadvertently writing to it. It also renders updates and functional operation of the computer ineffective as SWAP files and other temporary caching cannot be completed.
Viruses come from online systems.Online systems are pinnacle in the spread of viruses.It is after downloading that there are innumerable methods of invoking the virus through macros, automatic reposting of a webpage, automatic views of emails, and other methods.Even loading a plug-n-play DvD, CDROM, or memory stick can invoke a virus.
You can get a virus from graphic files. Graphic files, such as .JPG or .GIF, contain images. These images are displayed. In order to get a virus, a program has to be executed. Since graphic files are nothing more than data files, they pose no executable threat. However, through a technique of stegnography text and data including code can be embedded in an image file. A launcher program may know this and look for the code to call in and execute. However, the launcher is apart from the image file and executable.
Virus Protection Software
There are many techniques that can be used to detect viruses on computers. Each one has its own strengths and weaknesses. It would be great to actually stop viruses from infecting your computer. Since that can not be, we can do the next best thing: use anti-virus software and attempt to detect viruses. If you detect a virus, you can remove it and prevent it from spreading.
Virus Scanners
Scanning is the only technique that can recognize a virus while it is still active. Once a virus has been detected, it is important to remove it as quickly as possible. Virus scanners look for special code characteristics of a virus. The writer of a scanner extracts identifying pieces from code that the virus inserts. The scanner uses these pieces to search memory, files, and system sectors. If a match is found, the virus scanner will announce that a virus has been found and seek to isolate it.
If scanning is your only defense against viruses, you can improve the odds of detecting a virus on your computer by using two or more scanners. You should also make sure that you get the latest version of virus scanners.
Disinfector
Most vendors that sell scanners also have a disinfector. A disinfector has the same limitations of a scanner, except it must be current to be safe to use. A disinfector also has an even bigger disadvantage: many viruses can’t be removed without damaging the infected file. There have also been many reports that files are still damaged even when the program claims to have disinfected the file. A disinfector is good to use, but use it with care.
Another disadvantage with a disinfector is that some of your programs may no longer work after being disinfected. Many disinfectors will not tell you that it failed or to correctly restore the original program. You can safely use a disinfector if you have the capability to check and make sure the original file is restored.
Interceptors
Interceptors, also known as resident monitors, are particularly useful for deflecting logic bombs and Trojans. The interceptor monitors operating system requests that write to disk or do other things that the program considers threatening. If a request is found, it generally pops up and asks you if you want to allow the request to continue. There is no reliable way to intercept direct branches into low level code or to intercept direct input and output instructions done by the virus. Some viruses attempt to modify the interrupt vectors to disable any monitoring code. It is important to realize that monitoring is risky. An interception product would be useful to another protection program. There are many ways to bypass interceptors, so you should not depend on interceptors as a primary defense against viruses.
Inoculators
Inoculators are also known as immunizers. There are two types of inoculators. One type modifies your files or system sectors in an attempt to fool viruses into thinking that the user is already infected. It does this by making the same changes that the viruses use to identify the file or sector as infected. Presumably, the virus will not infect anything because it will think that everything is already infected. This works only for a small amount of viruses and is considered unreliable today.
The second type is an attempt to make your programs self-check by attaching a small section of check code on your programs. When the program executes, the check code first calculates the check data and compares it to the stored data. The check code will warn you of any changes to the program. This can be a disadvantage because the self-checking code and check data can be modified or disabled. Another disadvantage would be that some programs refuse to run if they have been modified this way. Presumably, this creates alarms from other anti-virus programs since the self-check code changes the original program in the same way a virus would. Some products use this technique to substantiate their claim to detect unknown viruses. As a result, this would not be a reliable way to get rid of viruses.
Integrity Checker
Integrity checker reads your entire disk and records integrity data, which acts as a signature for the files, boot sectors, and other areas. A virus must change something on your computer. The integrity check identifies these changes and alerts you to a virus. This program is the only solution that can handle all the other threats to your data along with viruses. They also provide the only reliable way to find what damage a virus has done. A well-written integrity checker should be able to detect any virus, not just known viruses.
An integrity checker won’t identify a virus by name unless it includes a scanner component. Many anti-virus software now incorporate this technique. Some older integrity checkers were simply too slow or hard to use to be truly effective. A disadvantage of a bare-bones integrity checker is that it can’t differentiate file corruption caused by a bug from corruption caused by a virus. You should make sure to verify that your product will read all files and system sectors in their entirety rather than just spot-checking.
Other Threats to Computers
There are many other threats to your computer. Problems with hardware, software, and typos are more likely to cause undetected damage to your data and may appear to be virus-like. It’s easy to understand the threat that disk failure represents. Even though viruses are a threat, we need to address other threats as well by fault tolerancing our systems, running multiple processor cores, and installing stable quality RAM. Even driver updates can cause damage and loss of data. Therefore, automatic updates should be turned off and all updates reviewed regularly.>/div>
Conclusion
There are many variants of viruses out in the real world today. No one is safe from being infected. That’s why it is so important to take precautions. If you receive anything from an unknown source, delete it. Always update your antivirus with the latest signature files. Most viruses do little damage, but there are still others that can delete important files from your hard drive causing your PC to become inoperable. A few minutes of prevention is better than several hours of frustration and lost data.
Reference:
Englander, I. (2003). The Architecture of Computer Hardware and Systems Software: An information Technology Approach. (3rd ed.). New York: John Wiley & Sons Inc.
McClure, S, (2009). Hacking Exposed 6, Mcgraw-Hill Company, ISBN 9780071613743
Slade, R. (1994). Computer viruses: how to avoid them, how to get rid of them, and how to get help.New York.Springer-Verlag.
Other posts in this series
COMPUTER ATTACKS: HACKERS
COMPUTER ATTACKS: VIRUSES
COMPUTER ATTACKS: PROBING PORTS
COMPUTER ATTACKS: TCP/IP SECURITY