Viruses and How They Function
A virus is one of the oldest pieces of software that fits under the definition of malware. It may also be one of the most frequently misunderstood. The term virus is frequently used to refer to all types of malware.
Before getting too far into a discussion of viruses, it is important to make clear what viruses actually are and the behaviors they exhibit. A virus is a piece of code or software that spreads from system to system by attaching itself to other files. When the file is accessed, the virus is activated. Once activated, the code carries out whatever attack or action the author wishes to execute, such as corrupting or outright destroying data.
Viruses have a long history, one that shows how this form of malware adapted and evolved as technology and detective techniques improved. Here’s a look at the history of viruses, how they have changed with the times, and how this affects you as a security professional.
Viruses: A History
Viruses are nothing new; the first viruses debuted in the “wild” roughly 40 years ago as research projects. They have evolved dramatically since then into the malicious weapons they are today.
The first recognized virus was created as a proof-of-concept application designed in 1971 to demonstrate what was known as a mobile application. In practice, the Creeper virus, as it was known, spread from system to system by locating a new system while resident on another. When a new system was found, the virus would copy itself and delete itself off the old one. Additionally, the Creeper virus would print out a message on an infected machine that stated, “I’m the Creeper, catch me if you can.” In practice, the virus was harmless and not that advanced compared with modern examples.
In the mid-1970s, a new feature was introduced in the Wabbit virus. The Wabbit virus represented a change in tactics in that it demonstrated one of the features associated with modern-day viruses—replication. The virus replicated on the same computer over and over again until the system was overrun and eventually crashed.
In 1982, the first virus seen outside academia debuted in the form of the Elk Cloner virus. This piece of malware debuted another feature of later viruses—the ability to spread rapidly and remain in the computer’s memory to cause further infection. Once resident in memory, it would infect floppy disks placed into the system later, as many later viruses would do.
Four short years later, the first personal computer–compatible virus debuted. The viruses prior to this point were Apple II types or designed for specific research networks. In 1986, the first of what was known as boot sector viruses debuted, demonstrating a technique later seen on a much wider scale. (The boot sector is the part of a hard drive or removable media that is used to boot programs.) This type of virus infected the boot sector of a drive and would spread its infection when the system was going through its boot process.
The first of what would later be called logic bombs debuted in 1987: the Jerusalem virus. This virus was designed to cause damage only on a certain date—in this case, Friday the 13th. The virus was so named because of its initial discovery in Jerusalem.
Multipartite viruses made their appearance in 1989 with the Ghostball virus. This virus was designed to cause damage using multiple methods and components, all of which had to be neutralized and removed to effectively clear out the virus.
Polymorphic viruses first appeared in 1992 as a way to evade early virus-detection techniques. Polymorphic viruses are designed to change their code and “shape” to avoid detection by virus scanners, which would look for a specific virus code and not the new version.
Fast-forward to 2008 and Mocmex. Mocmex was shipped on digital photo frames manufactured in China. When the virus infected a system, its firewall and antivirus software were disabled; then the virus would attempt to steal online game passwords.
Modern viruses and virus writers have gotten much more creative in their efforts and in some cases are financed by criminal organizations to build their software.
Types of Viruses
As you can see, not all viruses are the same; there are several variations of viruses, each of which is dangerous in its own way. Understanding each type of virus can give you a better idea of how to thwart them and address the threats they pose.
Logic Bombs
A logic bomb is a piece of code or software designed to lie in wait on a system until a specified event occurs. When the event occurs, the bomb “goes off” and carries out its destructive behavior as the creator intended. Although the options are literally endless as far as what a logic bomb can do, the common use of this type of device is to destroy data or systems.
Logic bombs have been notoriously difficult to detect because of their very nature of being “harmless” until they activate. Malware of this type is simply dormant until whatever it is designed to look for happens. What can activate this software is known as a positive or negative trigger event, coded in by the creator. A positive trigger is a mechanism that looks for an event to occur, such as a date. A negative trigger is designed to monitor an action. When such action does not occur, it goes off. An example would be if a user does not log on for some period. This process of “hiding” until an event occurs or does not occur makes this particular type of malware dangerous.
As a security professional, you will have to be extra vigilant to detect logic bombs before they do damage. Traditionally, the two most likely ways to detect this type of device are by accident or after the fact. In the first method, an IT worker just happens to stumble upon the device by sheer “dumb luck” and deactivates the bomb. In the second method, the device “detonates” and then the cleanup begins. The best detection and prevention methods are to be vigilant, to limit access of employees to only what is necessary, and to restrict access where possible.
Polymorphic Viruses
The polymorphic virus is unique because of its ability to change its shape to evade antivirus programs and therefore detection. In practice, this type of malware possesses code that allows it to hide and mutate itself in random ways that prevent detection. This technique debuted in the late 1980s as a method to avoid the detection techniques of the time.
Polymorphic viruses employ a series of techniques to change or mutate. These methods include:
Polymorphic engines—Designed to alter or mutate the device’s design while keeping the payload, the part that does the damage, intact
Encryption—Used to scramble or hide the damaging payload, keeping antivirus engines from detecting it
When in action, polymorphic viruses rewrite or change themselves upon every execution. The extent of the change is determined by the creator of the virus and can include simple rewrites to changes in encryption routines or alteration of code.
Modern antivirus software is much better equipped to deal with the problems polymorphic viruses pose. Techniques to detect these types of viruses include decryption of the virus and statistical analysis and heuristics designed to reveal the software’s behavior.
Multipartite Viruses
The term multipartite refers to a virus that infects using multiple attack vectors, including the boot sector and executable files on the hard drive. What makes these types of viruses dangerous and powerful weapons is that to stop them, you must totally remove all their parts. If any part of the virus is not eradicated from the infected system, it can reinfect the system.
Multipartite viruses represent a problem because they can reside in different locations and carry out different activities. This class of virus has two parts, a boot infector and a file infector. If the boot infector is removed, the file infector will reinfect the computer. Conversely, if the file infector is removed, the boot infector will reinfect the computer.
Macro Viruses
Macro viruses are a class of virus that infects and operates through the use of a macro language. A macro language is a programming language built into applications, such as Microsoft Office in the form of Visual Basic for Applications (VBA). It is designed to automate repetitive tasks. Macro viruses have been very effective because users have lacked the protection or knowledge to counteract them.
Macro viruses can be implemented in different ways, usually by being embedded into a file or spread via email. The initial infections spread quite quickly because earlier applications would run the macro when a file was opened or when an email was viewed. Since the debut of these viruses, most modern applications disable the macro feature or ask users whether they want to run macros.
Hoaxes
A hoax is not a true virus, but no discussion of viruses is complete without mentioning the hoax virus. Hoax viruses are those designed to make the user take action even though no infection or threat exists. The following example is an email that actually is a hoax virus:
PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS: You should be alert during the next days: Do not open any message with an attached file called “Invitation” regardless of who sent it. It is a virus that opens an Olympic Torch that “burns” the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact list. That is why you should send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it. If you receive a mail called “Invitation,” though sent by a friend, do not open it and shut down your computer immediately. This is the worst virus announced by CNN; it has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. SEND THIS E-MAIL TO EVERYONE YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.
Here’s another example:
All,
There’s a new virus which was found recently which will erase the whole C drive.
If you get a mail with the subject “Economic Slow Down in US” please delete that mail right away. Otherwise it will erase the whole C drive. As soon as you open it, it says, “Your system will restart now ... Do you want to continue?”. Even if you click on NO, your system will be shut down and will never boot again. It already caused major damage in the US and few other parts of the world. The remedy for this has not yet been discovered.
Please make sure you have backed up any local hard drive files adequately—network, floppy, etc.
In both cases, a simple search online or discussion with the IT department of a company will reveal these to be hoaxes; however, in many cases, the recipients of these messages panic and forward them on, causing further panic.
Prevention Techniques
Viruses have been in the computer and network business almost as long as the business itself has been around. A wide variety of techniques and tools have evolved to deal with the threat.
Education
Knowledge is half the battle. Getting system owners to understand how not to get infected or spread viruses is a huge part of stopping the problem. Users should be instructed on proper procedures to stop the spread of virus code. Such tips should generally include:
Don’t allow employees to bring untrusted or unprotected media or devices from home.
Instruct users not to download files except from known and trusted sources.
Don’t allow workers to install software or connect devices without permission from the company IT department.
Inform IT or security of strange system behaviors or virus notifications.
Limit the use of administrative accounts.
Antivirus/Anti-Malware
The next line of defense is the antivirus or anti-malware software that is designed to stop the spread and activity of viruses. Antivirus programs are designed to run in the background on a system, staying vigilant for activity that suggests viruses and stopping or shutting down the system. Antivirus software can be an effective tool, but it can be so only if it is kept up to date. Antivirus software relies on a database of signatures that lets it know what to look for and remove. Because new viruses are released each day, if you neglect this database, it becomes much more likely a virus will get through.
Because there is a wide range of viruses and other malicious code, an antivirus program must be able to detect more than a simple virus. Good antivirus software can detect viruses; worms; Trojans; phishing attacks; and, in some cases, spyware.
Antivirus software tends to use one of two methods. The first is the suspicious behavior method. Antivirus programs use this method to monitor the behavior of applications on a system. This approach is widely used because it can detect suspicious behavior in existing programs as well as detect suspicious behavior that indicates a new virus may be attempting to infect your system.
The second method is dictionary-based detection. This method will scan applications and other files when they have access to your system. The advantage of this method is that it can detect a virus almost immediately instead of letting it run and detecting the behavior later. The downside is that the method can detect only viruses that it knows about—if you neglect to update the software, it cannot detect new viruses.
Applying Updates
Another detail that you cannot overlook is applying patches on systems and software when they become available. Vendors of operating systems and applications, such as Microsoft, regularly release patches designed to close holes and address vulnerabilities on systems that viruses could exploit. Missing a patch or update can easily mean the difference between avoiding a problem and having your system disabled.