| Basically, a virus is a computer program that is able, with
your help and by attaching itself to other documents, (programs, e-mail,
web pages etc.) to move from computer to computer. Typically, these programs
are often harmful and not beneficial; even if the virus has no payload (the
part of a virus that contains code to either multiply itself and or to destroy
something) it is an unwelcome visitor and takes up system resources.
A virus is not the only way you can experience problems with your computer.
For most people, hardware or software problems are far more common. This
document contains a detailed discussion of some of the most common viruses.
There are several classes of code often grouped under the name "virus."
But not all are viruses in the classic meaning of the term. Some of these
are: worm, Trojan Horse, logic bomb, and others.
The thing to remember is that a virus moves from computer to computer
by attaching itself to a document. Such a document could be an executable
program, e-mail you have received or any piece of information that resides
on you computer. Including the small program that exists in the boot sector
of every floppy or hard disk, bootable or not.
For most viruses, when the program with the virus attached is run, the
viral code goes into memory and stays there for as long as the computer
is turned on. In some cases even if you warm boot the computer with Ctrl-Alt-Del
the virus stays in memory
To spread itself, a virus first attaches itself to other programs, documents
with macros, e-mail or other disks as they are accessed. Then, if the
circumstances are correct for a particular virus, it activates and does
whatever damage it was designed to do. This may range from a simple message
on your screen to complete erasure of your disk, or just nothing at all
but still being a nuisance.
 Bootsector
virus
Bootsector viruses are the classics under the viruses. A Bootsector virus
settles itself onto a floppy's or hard disk Bootsector, a specific track
on a disk where the operating system finds the information to start your
machine's operating system or make itself known to you machine (ID). During
the 80's a Bootsector virus was a real pest on Amiga and Commodore 64
computers. Easy to remove but a nuisance, and very virulent sometimes
too. When a Bootsector virus had infected your disk the machine either
froze or the floppy was no longer usable until you removed the virus.
Sometimes even the spare Bootsector was overwritten and then your info
could only be salvaged with the help of a recovery program,
Trojans
A Trojan is a piece of viral code that resides in memory but works only
under specific circumstances. It is often spread riding piggy bag on other
programs or just hidden in one. Like the first Trojan: PC-Write which was
a popular share ware program. By examining the virus program file into "PC-Write"
many users thought they were downloading the word processor, instead they
downloaded the virus. Tricky.
Polymorphic
viruses
A polymorphic virus is a virus that can change itself to elude detection.
Or change its working. For example in stead of wiping your hard disk it
locks your keyboard when specific keys are pressed in a particular sequence.
Very hard to detect.
Binary
viruses
A binary virus is a virus that needs a second component to become activated
and do whatever it was designed to do. It is nearly impossible to detect
un incomplete virus.
Macro
viruses
A macro virus most often exposes itself in Microsoft Office documents
like Excel and Word or Outlook and works its havoc. The code is easy to
detect and to deactivate.
Standard
Virus
As long as you can speak of a standard virus. Contemporary viruses are
hybrids that even contain their own mail engine!
A standard virus resides in memory. Were its payload executes like a
three stage rocket:
- Staying in memory as a resident process
- Detecting programs (executables) that are loaded into the computer's
memory
- Attaching itself into an available slot of that program, mostly at
the end, that resides on hard disk or floppy. That medium should not
be protected against writing. As far as is known there is no virus that
breaks this hardware security, but one can never tell.
More advanced viruses are scoring your hard disk for other programs or
executables and attach itself to any available one. Than look for other
hard disks, inclusive network disks, and do the same thing over.
Even more advanced viruses try to attack domains of other users on the
network by cracking the passwords and repeat the process
Some viruses are only specialized at cracking firewalls, deleting files,
shut down virus protecting programs, sending hundreds of thousands of
mails, steel addresses from your mailbox and send them to a secret recipient.
Or burning out you display. But mind you not all viruses are malignant,
none are benevolent either be it only to take up CPU time and disk space.
Discussion
Virus spreading patterns lately (at the time of updating this document)
would suggest that MS software is extremely buggy. Yes the software security
is pretty weak, as is other software as well. The reason that
other operating systems less attacked by viruses is that over
98% of the desktop machines run the MS operating system. And programming
viruses is relatively easy. That can be done at home. With the availability
of tools on the Internet, or subculture circles, it takes from a
few days to weeks to build one. Even without much knowledge of networks,
firewalls, disk systems, mail deployment mechanisms, password encryption,
security measures and so on. People like that are often called "script
kiddy's"
Of course MS Windows seems to be more targeted than others and apparently
more insecure. But that as said is a matter of perspective.
Unix or MVS systems look more secure because protecting against intruders
is one of the fundamental issues of these systems. This is also the reason
viruses get almost no chance to spread through such a system.
Most damage is done by the human users themselves though. And it helps
that Unix and VMS systems are relatively isolated from other systems
that do not belong to that particular company or institution.
But a system programmer setting himself to it could easily break the
security and create a wide spreading virus. Only were it not that in
the 'profession' few people feel the urge to write such software, but
if that was the case Unix systems and the like would be infested with
as many viruses as the rest of the operating systems on small or large
machines.
Will a microcomputer virus work on other types of machines? Not many
do. But considering the connection ratio between micro's and "Big
Irons" it could travel very well with ordinary documents shared
over the network. The end users always have some kind of MS windows
and PC combination on their desk. Thus prime targets for viruses.
The spread of viruses often is accelerated because of the behavior of
computer users. The Kournikova virus was a prime example of this. By
using the human curiosity, to entice users in opening mail with promising
pictures or other material is something a virus protection program can
not guard against. However it is not only by e-mail that viruses get
spread. The classic file attachments, macro code inside documents, or
extensibles to binary programs are somewhat under-represented in the
realm of Trojans and viruses, but they are out there!
Oh yes there are discussions that virus protection companies themselves
create viruses to keep them in business. And there are rumors that during
the cold war most viruses came from countries like Bulgaria and Rumania.
And that the virus SoBig.F escaped from an American laboratory of cyber
warfare. Well undoubtedly where there is smoke there is fire. But what
is thru and what is propaganda? |
the Armageddon virus |
| To illustrate the possibility of an artificial
life form cum virus we'll consider the following case
"the Armageddon virus"
A rough picture of a disaster in the making.
Say we are going to construct a virus of Cataclysmic proportions.
What would we need to do?
First of all a hiding place! Not only for our phsical self but
also for our new virus. We need a birthing place of some tens
of servers spread out. Invisible to detection. Stache a virus
only to be accessible by the maker of the virus and the virus'
siblings.
While hiding, the virus sends no message to its maker of
its where abouts and goes into hibernation. This makes it virtually
undetectable. After a few moths the virus gets out of hibernation
to check up on messages on a predefined newsgroup. If it does
not find anything the virus will destroy itself. Thus there
is no detection possible.
Access to the virus is gained by sending out a msg to a public
newsgroup that can only be understood by the virus itself. Like
an ad in a newspaper: "The egg is laid, contact the gardener".
The virus will then respond with: "Bring the roses to
bloom, water the plant." Meaning an IP number and a password
in a steganographic form. Much like a cloak and dagger scenario,
huh?!
Since after sending out the virus the builder does not
know where the virus has nested itself.
In this stage the virus will not have any characteristics of
a virus. It just sits there, scans particular news servers and
waits for messages.
Messages left on servers can contain contain a piece of code
to further enhance its viral and survival aspects.
You may have
guessed that we are building a DNA based virus and the newsgroup
or usenet servers function as a postbox and form a repository
of basic building blocks: genetic material. In time our Armageddon
virus will grow only in size.
The messages as said will contain genetic code, in steganogephic
or otherwise encrypted form with which to expand the capabilities
of the virus that thus gets abilities to understand firewalls,
proxy servers, store passwords, decipher username lists, on
the computer it resides. It still does not do anything.
As a primary directive it will learn to create itself a secret
hiding and secure place by developing and improving
stealth methods. In effect undetectable even by the maker him/herself.
The next few years or so it sends out messagebots to fetch more
DNA from the public boards.
See? The only thing it does till now is to hide and grow more "intelligent"
while learning the current security tricks, network configuration,
spying on network traffic to distill usernames, passwords,
the business structure and hiding even better for the system
engineers by applying ever more sophisticated stealth techniques.
In time it learns how to spread itselves without being detected.
It starts to communicate with its siblings Armageddon viruses
by communicating via DNA encoded messages that are dropped on
newsnets, usenet and other public accessible servers via newsbots
which are generated by Armageddon. It does this by enriching
messages that are going out anyway (kind of piggybacking)
It leaves anonymous messages that again have no signature of
any existing virus, nor will these, sefldestructing, messages
do anything to harm.
Armageddon's single purpose till now is to survive and to increase
its intelligence. And by doing so it can choose any strategy
it sees fit.
And the clock is ticking...
The virus programmer(s) however continually codes new DNA blocks
in this stage and puts that code either into pictures on web
sites, messages on message boards, discussion groups or whatever
there is that can be seen by Armageddon. And in essence by any
one: if you hide something let it be visible (Sherlock Holmes).
Armageddon will eventually send back suggestions of mutated DNA
blocks to the developer to further enhance the quality of the
DNA programmed by either the virus builder or the virus itself.
The master plan is to make the virus to become a part
of the operating system itself, to disentangle the virus from the
OS will mean to kill the machines it resides on. To stay undetected
the virus hides in the machine code itself by posing as code.
By applying
steganographic and encryption methods it can reconstruct a sibling
from the 'genes' of the OS itsefl!
Now the time has come to expand a little bit, unobtrusively though
It will spawn a few other generations of Arma's and the prototypes
of Armageddon will go into hybernation to serve as basic material
in case of detection or unsuccessful generations of Armageddon.
In some future generations at un unknown point in time when the
population or intelligence (either one) has reached a critical
mass Armageddon strikes and wipes out the entire computer population.
Effectively committing suicide, only after it has created some
isolated pockets were it survives and waits till there is enough
computer momentum to do the trick again.
That this war can not be won by any human must be clear.
This is just a rough scetch of what could be expected of future
viruses which are combinations of:
worms - to fight the systems security;
viruses - to combine genetic code into something useful;
bots - to gather information;
binary components - to be able to elude detection
artificial intelligence - to outsmart the contemporary detection
methods and to continue building itself independendly of its maker.
|
|
