Go Backstoryline indexmain index

Virus!

Table of contents

Introduction

No this is not a course in how to write a virus, but to make you clear what it is, the impact on society, and some of the historical aspects of viruses.

How infection occurs

In order to infect a computer, a virus has to have the chance to execute its code.

Viruses usually ensure that this happens by behaving like a parasite, i.e. by modifying another item so that the virus code is executed when the legitimate item is run or opened.

Good vehicles for viruses include the parts of a disk which contain code executed whenever that disk is booted, and documents which contain macros executed whenever that document is opened with the relevant application.

As long as the virus is active on the computer, it can copy itself to other files or disks that are accessed.
How viruses escape detection

The successful spread of a virus depends on how long it can replicate unnoticed, before its presence is made known by the activation of side-effects. Viruses use two main methods of disguise:

* Encrypting (scrambling) their code to avoid recognition.
* Preventing applications from seeing the virus in memory, by interrupt interception or (in the case of macro viruses) by disabling the options to view macros.

Virus side-effects

As well as self-replicating code, a virus normally contains a 'payload'. The former is like the propulsion unit of a missile; the latter is like the warhead it delivers. The payload can be programmed to have malicious side-effects.

These effects can range from harmless messages to data corruption or destruction.
How viruses spread

Infections spread from machine to machine, and from organisation to organisation, in a number of ways.

Viruses can be transmitted by:

* Booting a PC from an infected medium.
* Executing an infected program.
* Opening an infected file.

Common routes for virus infiltration include:

* Floppy disks or other media that users can exchange.
* Email attachments.
* Pirated software.
* Shareware.

Anti-virus measures

The fight against computer viruses involves five kinds of counter-measure:

Preparation includes making backups of all software (including operating systems) and making a contingency plan.

Prevention includes creating user awareness, implementing hygiene rules, using disk authorisation software, or providing isolated 'quarantine' PCs.

Detection involves the use of anti-virus software to detect, report and (sometimes) disinfect viruses.

Containment involves identifying and isolating the infected items.

Recovery involves disinfecting or removing infected items, and recovering or replacing corrupted data.

 

 

Basically, a virus is a computer program that is able, with your help and by attaching itself to other documents, (programs, e-mail, web pages etc.) to move from computer to computer. Typically, these programs are often harmful and not beneficial; even if the virus has no payload (the part of a virus that contains code to either multiply itself and or to destroy something) it is an unwelcome visitor and takes up system resources.

A virus is not the only way you can experience problems with your computer. For most people, hardware or software problems are far more common. This document contains a detailed discussion of some of the most common viruses.

There are several classes of code often grouped under the name "virus." But not all are viruses in the classic meaning of the term. Some of these are: worm, Trojan Horse, logic bomb, and others.

The thing to remember is that a virus moves from computer to computer by attaching itself to a document. Such a document could be an executable program, e-mail you have received or any piece of information that resides on you computer. Including the small program that exists in the boot sector of every floppy or hard disk, bootable or not.

For most viruses, when the program with the virus attached is run, the viral code goes into memory and stays there for as long as the computer is turned on. In some cases even if you warm boot the computer with Ctrl-Alt-Del the virus stays in memory

To spread itself, a virus first attaches itself to other programs, documents with macros, e-mail or other disks as they are accessed. Then, if the circumstances are correct for a particular virus, it activates and does whatever damage it was designed to do. This may range from a simple message on your screen to complete erasure of your disk, or just nothing at all but still being a nuisance.


Bootsector virus

Bootsector viruses are the classics under the viruses. A Bootsector virus settles itself onto a floppy's or hard disk Bootsector, a specific track on a disk where the operating system finds the information to start your machine's operating system or make itself known to you machine (ID). During the 80's a Bootsector virus was a real pest on Amiga and Commodore 64 computers. Easy to remove but a nuisance, and very virulent sometimes too. When a Bootsector virus had infected your disk the machine either froze or the floppy was no longer usable until you removed the virus. Sometimes even the spare Bootsector was overwritten and then your info could only be salvaged with the help of a recovery program,

 

Trojans

A Trojan is a piece of viral code that resides in memory but works only under specific circumstances. It is often spread riding piggy bag on other programs or just hidden in one. Like the first Trojan: PC-Write which was a popular share ware program. By examining the virus program file into "PC-Write" many users thought they were downloading the word processor, instead they downloaded the virus. Tricky.


Polymorphic viruses

A polymorphic virus is a virus that can change itself to elude detection. Or change its working. For example in stead of wiping your hard disk it locks your keyboard when specific keys are pressed in a particular sequence. Very hard to detect.


Binary viruses

A binary virus is a virus that needs a second component to become activated and do whatever it was designed to do. It is nearly impossible to detect un incomplete virus.

 

Macro viruses

A macro virus most often exposes itself in Microsoft Office documents like Excel and Word or Outlook and works its havoc. The code is easy to detect and to deactivate.

 

Standard Virus

As long as you can speak of a standard virus. Contemporary viruses are hybrids that even contain their own mail engine!

A standard virus resides in memory. Were its payload executes like a three stage rocket:

  • Staying in memory as a resident process
  • Detecting programs (executables) that are loaded into the computer's memory
  • Attaching itself into an available slot of that program, mostly at the end, that resides on hard disk or floppy. That medium should not be protected against writing. As far as is known there is no virus that breaks this hardware security, but one can never tell.

More advanced viruses are scoring your hard disk for other programs or executables and attach itself to any available one. Than look for other hard disks, inclusive network disks, and do the same thing over.

Even more advanced viruses try to attack domains of other users on the network by cracking the passwords and repeat the process

Some viruses are only specialized at cracking firewalls, deleting files, shut down virus protecting programs, sending hundreds of thousands of mails, steel addresses from your mailbox and send them to a secret recipient. Or burning out you display. But mind you not all viruses are malignant, none are benevolent either be it only to take up CPU time and disk space.

 

Discussion

Virus spreading patterns lately (at the time of updating this document) would suggest that MS software is extremely buggy. Yes the software security is pretty weak, as is other software as well. The reason that other operating systems less attacked by viruses is that over 98% of the desktop machines run the MS operating system. And programming viruses is relatively easy. That can be done at home. With the availability of tools on the Internet, or subculture circles, it takes from a few days to weeks to build one. Even without much knowledge of networks, firewalls, disk systems, mail deployment mechanisms, password encryption, security measures and so on. People like that are often called "script kiddy's"
Of course MS Windows seems to be more targeted than others and apparently more insecure. But that as said is a matter of perspective.
Unix or MVS systems look more secure because protecting against intruders is one of the fundamental issues of these systems. This is also the reason viruses get almost no chance to spread through such a system. Most damage is done by the human users themselves though. And it helps that Unix and VMS systems are relatively isolated from other systems that do not belong to that particular company or institution.
But a system programmer setting himself to it could easily break the security and create a wide spreading virus. Only were it not that in the 'profession' few people feel the urge to write such software, but if that was the case Unix systems and the like would be infested with as many viruses as the rest of the operating systems on small or large machines.

Will a microcomputer virus work on other types of machines? Not many do. But considering the connection ratio between micro's and "Big Irons" it could travel very well with ordinary documents shared over the network. The end users always have some kind of MS windows and PC combination on their desk. Thus prime targets for viruses.

The spread of viruses often is accelerated because of the behavior of computer users. The Kournikova virus was a prime example of this. By using the human curiosity, to entice users in opening mail with promising pictures or other material is something a virus protection program can not guard against. However it is not only by e-mail that viruses get spread. The classic file attachments, macro code inside documents, or extensibles to binary programs are somewhat under-represented in the realm of Trojans and viruses, but they are out there!

Oh yes there are discussions that virus protection companies themselves create viruses to keep them in business. And there are rumors that during the cold war most viruses came from countries like Bulgaria and Rumania. And that the virus SoBig.F escaped from an American laboratory of cyber warfare. Well undoubtedly where there is smoke there is fire. But what is thru and what is propaganda?

 

the Armageddon virus

To illustrate the possibility of an artificial life form cum virus we'll consider the following case

"the Armageddon virus"

A rough picture of a disaster in the making.

Say we are going to construct a virus of Cataclysmic proportions. What would we need to do?

First of all a hiding place! Not only for our phsical self but also for our new virus. We need a birthing place of some tens of servers spread out. Invisible to detection. Stache a virus only to be accessible by the maker of the virus and the virus' siblings.

While hiding, the virus sends no message to its maker of its where abouts and goes into hibernation. This makes it virtually undetectable. After a few moths the virus gets out of hibernation to check up on messages on a predefined newsgroup. If it does not find anything the virus will destroy itself. Thus there is no detection possible.

Access to the virus is gained by sending out a msg to a public newsgroup that can only be understood by the virus itself. Like an ad in a newspaper: "The egg is laid, contact the gardener". The virus will then respond with: "Bring the roses to bloom, water the plant." Meaning an IP number and a password in a steganographic form. Much like a cloak and dagger scenario, huh?!
Since after sending out the virus the builder does not know where the virus has nested itself.
In this stage the virus will not have any characteristics of a virus. It just sits there, scans particular news servers and waits for messages.
Messages left on servers can contain contain a piece of code to further enhance its viral and survival aspects.

You may have guessed that we are building a DNA based virus and the newsgroup or usenet servers function as a postbox and form a repository of basic building blocks: genetic material. In time our Armageddon virus will grow only in size.

The messages as said will contain genetic code, in steganogephic or otherwise encrypted form with which to expand the capabilities of the virus that thus gets abilities to understand firewalls, proxy servers, store passwords, decipher username lists, on the computer it resides. It still does not do anything.
As a primary directive it will learn to create itself a secret hiding and secure place by developing and improving stealth methods. In effect undetectable even by the maker him/herself. The next few years or so it sends out messagebots to fetch more DNA from the public boards.

See? The only thing it does till now is to hide and grow more "intelligent" while learning the current security tricks, network configuration, spying on network traffic to distill usernames, passwords, the business structure and hiding even better for the system engineers by applying ever more sophisticated stealth techniques.

In time it learns how to spread itselves without being detected. It starts to communicate with its siblings Armageddon viruses by communicating via DNA encoded messages that are dropped on newsnets, usenet and other public accessible servers via newsbots which are generated by Armageddon. It does this by enriching messages that are going out anyway (kind of piggybacking)
It leaves anonymous messages that again have no signature of any existing virus, nor will these, sefldestructing, messages do anything to harm.
Armageddon's single purpose till now is to survive and to increase its intelligence. And by doing so it can choose any strategy it sees fit.

And the clock is ticking...

The virus programmer(s) however continually codes new DNA blocks in this stage and puts that code either into pictures on web sites, messages on message boards, discussion groups or whatever there is that can be seen by Armageddon. And in essence by any one: if you hide something let it be visible (Sherlock Holmes). Armageddon will eventually send back suggestions of mutated DNA blocks to the developer to further enhance the quality of the DNA programmed by either the virus builder or the virus itself.

The master plan is to make the virus to become a part of the operating system itself, to disentangle the virus from the OS will mean to kill the machines it resides on. To stay undetected the virus hides in the machine code itself by posing as code.
By applying steganographic and encryption methods it can reconstruct a sibling from the 'genes' of the OS itsefl!

Now the time has come to expand a little bit, unobtrusively though

It will spawn a few other generations of Arma's and the prototypes of Armageddon will go into hybernation to serve as basic material in case of detection or unsuccessful generations of Armageddon.
In some future generations at un unknown point in time when the population or intelligence (either one) has reached a critical mass Armageddon strikes and wipes out the entire computer population. Effectively committing suicide, only after it has created some isolated pockets were it survives and waits till there is enough computer momentum to do the trick again.

That this war can not be won by any human must be clear.

This is just a rough scetch of what could be expected of future viruses which are combinations of:

worms - to fight the systems security;
viruses - to combine genetic code into something useful;
bots - to gather information;
binary components - to be able to elude detection
artificial intelligence - to outsmart the contemporary detection methods and to continue building itself independendly of its maker.


Continue to:

 

 

Go Backindexmain index Last Update 15 March, 2013 For suggestions please mail the editors 

Footnotes & References

 

 

This is wonderful news for those who are looking for 350-001 test and 70-685 testking . We are the best online shop for 648-232 practice test along with 70-412 at affordable prices. In addition, find best quality 70-649 passguide here