3.1 What are computer viruses, worms and Trojan horses?
Apart from the various types of
attacks to the security aspects discussed earlier, there still exist few more
destructive programs, which impose threats to our systems in various ways.
Their
creators develop these programs with the sole objective of 'Destruction'. We
shall discuss in this chapter about such programs viz. computer viruses, worms
as well as Trojan horses in detail. This will enable us to take precautionary
measures in order to save ourselves from these additional threats.
Computer Viruses:
General Concept:
There is nothing magical about
computer viruses. A virus is simply a computer program, which is stored
somewhere on the disk. But unlike the other programs, this program is not
available separately. It will try to hide itself by attaching to some
legitimate program. Still, it is to be called a computer program. There is very
much similarity between a computer virus and a biological virus. Both invade
the body/machine and attach to cell / program and once lodged, they monitor the
activity of the host in order to replicate themselves.
Why
viruses are developed?
The virus programs are normally
written with an objective of destructive effects. A virus cannot do anything
that was not written into its program. It is the creation of intelligent
computer programmer but with the harmful intentions. There are other harmful
programs like worms, Trojan horses etc. A program is not a virus unless it has
the ability to replicate itself.
There are several ways and intentions
with which the viruses are written. These range from complete destruction of
host system, to simple pass-time nuisance activities. Sometimes viruses are
used to stop from copying legitimate programs, or just to prove someone's
knowledge, to simply make fun out of it & so forth.
How
do they work?
Similar to their biological
counterpart, the computer viruses also require some carriers. As biological
viruses may use animals, insects, water or air as a medium for propagation,
computer viruses need carriers like some legitimate executable programs, boot
sectors,
Partition tables etc. to carry them to
the host for further destruction and replication. When infected code gets
executed by some means (using these carriers), the virus launches itself into
memory and performs according to its program.
There are specific stages in viruses,
called the Life Cycle of a virus.
The first stage is called Pre-trigger
stage or the dormant stage. In this stage viruses lie dormant, and does not do
any destruction. (This act is also similar in the biological virus.) It is hard
to detect a virus in this stage.
The second stage called trigger stage
is the one in which virus performs any destruction. A trigger can be made to
set off at a given time, given number of times a program is run, physical
condition of disk, specific date or time, any other event or just anything
which might have been thought of by its developer.
Once this trigger goes off, the
destructive action mentioned in the virus program executes to carry out the
destruction. This is said to be the final stage as it causes actual damage it
is supposed to do.
Virus programs enter into the system
either by way of copying the carrier programs (exe, com, bat, sys & similar
files) or copying anything from a disk with infected boot sector or partition
table or even through E-mail or Website contents. Also, the replication
activity of viruses is transparent to the user.
3.2 Types of Virus
Virus classifications:
There are several classes / types of
viruses with some of them discovered recently. They are classified according to
what they infect. The two major classes of viruses are:
1.Boot sector/partition table viruses
and
2.File viruses.
Afterwards few other classes have also
included as the new breed of viruses started coming in. These newer classes of
viruses include:
3.Multipartite viruses,
4.Polymorphic viruses,
5. Stealth viruses and
6.Macro viruses.
Working of each of these types is as
explained below:
1. Boot sector/partition table
viruses: Infect the
boot sector, Master Boot Record (MBR) or the partition table of the disks.
These are the sensitive areas of the system which when controlled, it becomes
much more easier for the viruses to carry out further replication. The code in
these locations gets loaded in memory at the system startup and
hence is a
good target for these viruses. Boot Sector viruses copy the boot sector program
to another location on write a copy of their own code to the boot sector. When
the computer is booted from the infected disk, executes the virus code, which
then executes the copy of the boot sector it has saved elsewhere. Examples of
this type include Michelangelo, Monkey, Brain, Stoned, Pentagon, Print screen
etc.
2. Memory – resident virus :
Lodges in main memory as part of a resident system program from that point on,
the virus infects every program that executes.
3. File viruses: As the name implies, these viruses
infect files. These files normally include executable files such as .exe, .com,
.bat etc. In general viruses do not infect data files, because they are not
executed. But this does not mean that the data files are totally
secure
from viruses. These may even be targeted in the destruction stage of other
viruses. Examples are Jerusalem, Die Hard 2, Concept, Cascade etc.
4.
Parasitic Virus : The
traditional and still most common form of virus. A parasitic virus attaches
itself to executable files and replicates, when the infected program is
executed, by finding other executable files to infect.
5. Multi-parasite viruses: These types of viruses are a
combination of both boot sector as well as file viruses. They first infect the
executable files and when these files are run, the viruses further infect the
boot sectors/partition tables. Thus they can infect in both the ways. Examples
are Tequila, Flip, Invader etc.
6. Poly-morphic viruses: These are newer type of viruses,
which encrypt its code in various ways, so that it appears differently with
each infection. Obviously these will be more difficult to detect. Examples
include Phoenix, Evil, Proud, Stimulate etc.
7. Stealth viruses: Viruses using certain techniques to
avoid detection by antivirus utilities are of this type. Such viruses may hide
themselves in some other position than the detectable one, or keep the infected
file's size and date the same as original and so on. Examples are Whale, Frodo,
Joshi etc.
8. Macro viruses: This is newer type of viruses, which
infect the macros (small stored procedures to carry out multiple jobs at a
keystroke) within a document or template. Whenever the infected
document/template is run, the macro virus activates. Generally for word
processing the template used is the file called normal. dot. When new files are
created, based on this template the virus infects them all. Examples indude W
32, Nuclear, Word concept etc.
10. Tunneling Viruses:
One method of virus detection is an
interception program, which sits in the background looking for specific actions
that might signify the presence of a virus. To do this it must intercept
interrupts and monitor what's going on. A tunneling virus attempts to backtrack
down the interrupt chain in order to get directly to the DOS and BIOS interrupt
handlers. The virus then installs itself underneath everything, including the
interception program. Some anti-virus programs will attempt to detect this and
then reinstall themselves under the virus. This might cause an interrupt war
between the anti-virus program and the virus and result in problems on your
system.
Some anti-virus programs also use
tunneling techniques to bypass any viruses that might be active in memory when
they load.
11.
Cluster Viruses:
There is a
type of virus known as a "cluster" virus that infects your files not
by changing the file or planting extra files but by changing the DOS directory
information so that directory entries point to the virus code instead of the
actual program. When you run a program, DOS first loads and execute the virus
code,
the virus then locates the actual program and
executes it. Dir-2 is an example of this type of virus.
The
interesting thing about this type of virus is that even though every program on
the disk may be "infected," because only the directory pointers are
changed there is only one copy of the virus on the disk.
One can
also usually classify this type of virus as a fast infector. On any file
access, the entire current directory will be infected and. if the DOS path must
be searched, all directories on the path will typically be infected.
12.
E-mail Viruses: The
e-mail virus can be activated merely by opening an email that contains the
virus rather than opening an attachment. The virus uses the Visual Basic
scripting language supported by email package.
For
instance, Melissa was one of the first rapidly spreading e-mail viruses which
made use of a Microsoft Word macro embedded in an attachment. If the recipients
open the e-mail attachment, the Word macro is then activated.
Then
Ø
The
e-mail virus sends itself to everyone in the mailing list in the users email
contact list.
Ø
The
virus does local damage.
Thus we see a new generation of
malware that arrives via e-mail and uses e-mail software features to replicate
itself across the Internet. The virus propagates itself as soon as activated
(either by opening an e-mail attachment or by opening the e-mail) to all of the
email addresses known to the infected host. As a result, whereas viruses used
to take months or years to propagate, they now do in hours. This makes it very
difficult for antivirus software to respond before much damage is done.
No comments:
Post a Comment