|
|
|
| Reference Series |
Table of Contents For This Issue
|
|
| |
| How Computers Work, Part I | |
|
August 2001• Vol.5 Issue 3 Page(s) 162-167 in print issue | |
Understanding The True Nature Of Viruses Look Beyond The Hype & Recognize Those With Real Risks |
When you think about a computer virus, images of mass destruction, system crashes, and irretrievable data might spring to mind. But once these messengers of chaos are examined and understood, much of the mystery and terror that viruses once inflicted upon
computer users tends to dissipate into common-sense caution.Despite widespread belief to the contrary, few of the existing viruses pose a real threat to computer users. By far, the majority of viruses (at least 20,000) are created in various labs as research tools. This “zoo” of viruses is not a danger to the public because the stock merely exists for computer science studies and is not being circulated among the world’s computers. Viruses “in the wild” are pathogens considered to be in circulation once they’ve been found on two or more computers. In reality, however, they constitute a much smaller number than consumers often hear reported. According to a widely accepted authority on viruses in the wild, the WildList Organization International (http:// www.wildlist.org), only 207 wild viruses were reported in 2000. Reports claiming that thousands of wild viruses exist usually include in the tally all the variations on the few hundred strains actually found in the wild.  Viral Definitions.
Fred Cohen is often credited as the first to define
computer virus. In his 1984 doctoral thesis at the University of Southern California, he defines the system invader as “a program than can ‘infect’ other programs by modifying them to include a version of itself.” That ability to self-replicate is the defining characteristic among all computer viruses. Many confuse viruses with Trojan horses, which are malicious programs disguised as something harmless or beneficial for the computer user. Although a Trojan horse can certainly contain a virus or a logic bomb program designed to wreak havoc at a predetermined time or date, the Trojan horse does not self-replicate and is not considered a virus. These harmful programs, such as Back Orifice and Picture.exe, are called malware, software designed for the sole purpose of damaging data and disrupting systems. Some professionals and antivirus groups consider worms to be another category of malicious programming, separate from viruses. But Roger Thompson, a technical director of malicious code research and a member of ICSA.net (http://www.icsa.net, a data security provider), points out that the term worm is used by professionals to describe viruses that use networks to spread. Invasion Methods.
Because computer viruses are programs, they must adhere to the design rules followed by every other application and cannot operate purely through modem lines, Web site viewing, or plain text such as e-mail messages. In addition, all programs must have access
to a computer system’s memory, or RAM, which temporarily stores data the CPUneeds to process. You can identify
viruses as resident
or nonresident, based on how they use RAM.Once activated, resident viruses use a related technology to become TSRs (terminate-and-stay-resident programs), which lets them stay in RAM and search for other active programs or files to infect. Until you shut off or reboot your computer, resident viruses prey upon active, open files. On the other hand, nonresident viruses only reside in RAM long enough to replicate, attach to a file, and get out. These viruses do not use TSR and, therefore, have a much shorter activation time than resident viruses. Viruses are usually grouped into three main categories—boot, file, and macro—depending on their means of invasion. Although boot and file virus infections were common in the early 1990s, these reports have been waning since operating systems started including built-in safeguards, says Thompson. File Leeches.
File viruses
attach themselves to executable files, such as EXE and DLL (dynamic-link library), and can arrive on a floppy diskette, a download from the Internet, or an e-mail attachment. You activate a file virus when you run an infected application or document. File
viruses, which can be either resident or nonresident, activate behind the scenes,
performing their intended operations before permitting the program to run. Once you restart an infected application, the file virus begins spreading to other programs. Often, an infected file appears on another computer through a shared diskette or network. The viruses using this type of network migration are frequently called worms. An outbreak of a file virus hit in early June 1999. Thompson says a user initially downloaded the ExploreZip virus from an Internet bulletin board and it suddenly began to appear in e-mail attachments, creating a significant amount of damage in its wake. Users sending e-mail to an ExploreZip-infected computer almost immediately received a fake reply from the recipient. The subject line varied, but the message remained largely the same: “Just got your e-mail and I’ll send you a reply ASAP. Until then, take a look at the attached zipped documents.” Once an e-mail recipient activated Explore-Zip, the virus began searching local and networked drives for specific file types (such as .DOC, .XLS, and .PPT) so it could erase the contents of these files and assign a zero byte count to them (a designation that usually prevents any lost data from being recoverable). But the program wasn’t finished yet. It then searched through the system’s network neighborhood, deleting unprotected shared files each time that the virus was activated. And there’s more! To ensure that the virus was executed from infected network computers each time the OS (operating system) started, ExploreZip created an entry in a Windows 98 startup file called Win.ini. But, according to reports from the CERT (Computer Emergency Response Team, http://www.cert .org) at the Carnegie Mellon Institute, Explore-Zip appeared unable to implement the same type of automatic startup in Windows NT-based computers. This was probably due to the added security features of Windows NT. Boot Bugs.
Boot-sector viruses
are
typically resident infectors that attack a hard drive’s boot sector, which contains a small
program instructing the computer about how to load the OS. Because a PC accesses startup files when it boots, boot viruses are executed every time you turn
on your computer. And because the BIOS(Basic Input/Output System) reads the floppy drive at boot up, the virus can infect all floppies you put in the floppy drive of an infected system. These viruses may infect any diskette placed in the diskette drive
of an infected system. Boot-sector viruses spread primarily by infecting diskettes, especially on college campuses where computers are shared by multiple users.
One such common virus, AntiCMOS, has spread around the globe since its 1994 discovery in Hong Kong. This virus works by invading the system’s hard drive when a user boots the computer from a tainted system diskette and, once on the system, it infects almost all diskettes used in the computer. AntiCMOS’ creator designed it to alter data contained in the CMOS (complementary metal-oxide semiconductor) chip, where information about the system hardware is contained, but the viral code is badly written and the chance it will work as intended is minimal. Even so, the creator’s replication goal has apparently been successful; AntiCMOS consistently ranks on the WildList Organization International’s “WildList” of most frequently reported viruses. Macro Menaces.
Macro viruses
, which are establishing themselves as the dominant form of mass computer contamination today, are specifically designed to work within popular programs, such as Microsoft Word, Microsoft Excel, and Office 2000. They can infect
documents, spreadsheets, and databases that let you execute macros. Many work by attaching to the Normal.dot template file contained in the Word and Excel templates, infecting every normal document created in those applications. Although macros can arrive on diskettes and in files downloaded from the Web, recent macro viruses have spread primarily as “hitchhikers” to documents in e-mail attachments. Macro viruses exploit the Visual Basic for Applications programming language built into Microsoft Word. This macro program can automatically modify files, send e-mail messages, and execute commands when a document with embedded macros is open. And even though the Macro Virus Protection feature in Microsoft applications disables the auto-execute feature by default, many users simply ignore the warning pop-up message that results from opening an infected document. Once a macro virus infects an application, it can infect all new documents made with that application. Although macro viruses have been around since the mid-1990s, these invaders gained even more widespread notoriety when the infamous Melissa virus hit in March of 1999. Easily one of the fastest spreading viruses observed to date, this macro menace worked within the Outlook e-mail program and was originally created in a Word document (with the .DOC extension). To spread quickly, Melissa sent recipients an e-mail message with a tainted Word attachment, as well as a subject line that appeared to be from someone the recipients recognized. When a user double-clicked the Word attachment, the virus executed and created a Word object in Outlook. Then, according to CERT, it accessed the first 50 names it found in the recipient’s address book and e-mailed a message containing the tainted Word attachment to all of them. Whenever someone opened the e-mail’s attachment, the virus repeated the procedure with the first 50 names in that person’s address book. Although Melissa was not designed to corrupt a system or its data, the virus did clog up several servers and force some organizations to temporarily shut down their e-mail systems. Tricks Of The Trade.
Aside from “social engineering,” one of the most popular
methods of viral deception is the use of polymorphic, self-mutating, and encrypted technology. Each time a polymorphic
virus replicates, the identifying code fragment (known as a signature) changes, making the virus less recognizable to antivirus applications containing lists of known virus signatures. This also means that even if the virus is detected in a given file, the
same virus (with a different signature) could go undetected in another file. On the bright side, because the programming code for this type of technology is so difficult to write, polymorphic viruses tend to contain numerous code glitches that prevent them from reproducing or operating well. Some viruses use stealth technology in addition to polymorphic techniques. Using special stealth algorithms, viruses can hide within a system’s OS and remain partially or completely undetectable. By monitoring and intercepting an OS’ built-in routines to locate infected objects, stealth viruses can then substitute some uninfected data for pieces of viral code. This data switch fools the computer into thinking it’s seeing the original, unmodified file instead of the infected one. One downfall for virus writers is that stealth technology can only work while the virus is residing in RAM, making it vulnerable to discovery by traditional antivirus software. Thompson says that there are at least 1,000 macro viruses in the wild, and that number will likely rise. Trojan horses and macro viruses, he says, make up the majority of system invasions seen today. This number is expected to rise due to the growth of the Internet, increased information-sharing practices, and the fact that macros are designed specifically for the widely used Windows environment. Still, despite all the complex and involved methods that virus writers have developed (and may yet create) to protect their viruses, no virus can boast total invincibility against antivirus programs. According to Cohen’s work, for every viral algorithm invented, an anti-algorithm can also be created to combat it. Unfortunately, this also means that the anti-algorithms are vulnerable to anti-anti-algorithm attacks by virus programmers, and so on; the war is far from over. Virus Busters.
Because each virus operates a little differently in its quest to replicate and perform its operations, the software designed to battle these infectious annoyances also concentrates on different parts of the computer. The best defense these programs offer
is in prevention, though none can claim 100% protection from all viruses because of the nature of algorithmic operations. Popular antivirus software searches for signatures and identifying bits of code of known viruses. According to AntiViral Toolkit Pro’s Virus Encyclopedia (AVPVE, http://www.metro.ch/avpve), the programs use a mask (a specific code sequence) to search for matches within a given program or file. If that method fails, the antivirus software then employs an algorithm to search through all possible code sequences that could uncover infected files (an effective method against polymorphic viruses). Some antivirus programs also use heuristic scanning, which lets them analyze code and make decisions about possible infections based on that analysis. In addition, because virus writers often create their latest viruses from existing ones, researchers can create an “evolutionary” history of an infecting agent. Armed with this information, antivirus programmers can then easily replicate a set of signatures that are indicative of various viral families, allowing software to recognize new viral strains that emerge from these families. Other types of virus-battling programs include behavior blockers and immunizers. Behavior blockers stay in the computer’s RAM until the unit is turned off, preventing an infector from performing its tasks. Another benefit of behavior blocker protection is that viruses are often detected at an early state of operation. The disadvantages of behavior blockers, widespread knowledge among virus writers about how to override the blockers, and the tendency for this software to give false alarms have brought the use of this type of protection to a halt among most computer users. Immunizers, also rarely used these days, traditionally come in two flavors: warning and blocking. Warning immunizers attach to the end of files every time the file is launched. Their inability to spot stealth viruses, however, has made them almost obsolete. Blocking immunizers, on the other hand, focus on a specific kind of virus by modifying files so they appear infected, causing the invading virus to pass it over. Plus, blocking immunizers often place TSRs in a computer’s memory (a trick used by many viruses to stay in RAM and infect other files) so that the system appears to be already infected. The problem, of course, is that this can’t protect against all known viruses, just a specific group. No matter what kind of antivirus protection you choose, computer security specialists at ICSA.net stress a “synergistic” or combination approach to system protection. So, instead of relying on only one preventative approach, combine several methods. In addition, nothing can beat common sense when it comes to computer protection. Be wary and exercise caution when downloading files from the Internet, opening e-mail attachments, and sharing network documents. The Historic Path Of Viruses.
According to “Fighting Computer Viruses” in the November 1997 issue of
Scientific American (http://
www.sciam.com/1197issue/1197kephart.html), mathematician John Von Neumann conducted the first studies of self-replicating mathematical mechanisms as early as the 1940s. These reproducing operations could, theoretically, automatically follow predetermined
sequences of instructions or commands.By the 1950s, infectious applications were being used as necessary tools to wipe out old memory fragments and ensure that programmers could effectively load new code into a computer’s memory in order to operate a new program efficiently. Eventually, when computers were able to run more than one program at a time, each program and the accompanying data had to be kept together within defined boundaries (or partitions) to enable a smooth performance level. The first true virus programs appeared around this time and crossed these partitions to execute their own operations. This transfer of system control to random areas of the computer’s memory then resulted in random operations as well as file damage. But, even then, the idea of invading viruses that were capable of taking over segments of computers still remained quietly in the realm of computer professionals until the early 1980s. It was then that the first viruses, such as Elk Cloner, were discovered “in the wild” on the widely used Apple II computers. A few years later, in 1986, the first IBM (http://www.ibm.com) PC virus, known as Brain, appeared. According to the NIST (National Institute of Standards and Technology, http://csrc.ncsl.nist.gov), this virus initially spread through diskettes at the University of Delaware. Within the following year, the first antivirus software product was on the market. In 1992, fear among computer users culminated with the Michelangelo virus scare. Considered an outright hoax by some experts, this virus infected thousands of computers on March 3, 1992 (the artist’s birthday), but that number was far fewer than the millions of machines initially predicted to crash on that date. Michelangelo received widespread media attention around the world and warnings swarmed about the following year’s expected attack (which was also minimal). That same year, the debut of Windows 3.1 dramatically reduced the number of virus infection reports. Until that time, viruses either attacked using a hard drive’s boot sector or its executable program files. But a new and improved infectious virus soon took their place: the macro virus. Although there seems to be a discrepancy among virus experts as to which macro virus was first, there is a general consensus that the macro virus made its debut in 1995 and was aimed almost exclusively at Windows users. One of the first macro viruses, Concept, is still one of the most prevalent viruses today. Many viral code researchers and professionals agree that macro viruses are the toughest viral threat currently facing computer users, and unfortunately, new challenges arise every year. In 1998, for example, the first Java-targeted virus (Strange Brew) appeared, followed by another virus, AM97/Accessiv, aimed at Microsoft Access databases. And with the introduction of the CIH virus, the bar was raised even further. The CIH virus not only erased the computer’s hard drive, but it was also capable of rewriting the system’s core language contained in the BIOS chip. As a result, infected systems required replacing the BIOS chip component on the motherboard. Even in the midst of these dangerous newcomers, there is still no reason to become overly concerned. By arming yourself with an updated antivirus program and exercising caution when receiving any items from outside sources, you’ll be able to effectively guard you computer against most infectious invaders. 
by Lori Robison View the chart that accompanies this article. (NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat Reader to view these pages. Download Adobe Acrobat Reader) View additional graphics that accompany this article. (NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat Reader to view these pages. Download Adobe Acrobat Reader)
|
