Bappa Dey
Introduction
A virus reproduces, usually without your permission or knowledge. In general terms they have an infection phase where they reproduce widely and an attack phase where they do whatever damage they are programmed to do (if any). There are a large number of virus types.
Viruses are a cause of much confusion and a target of considerable misinformation even from some virus experts. Let's define what we mean by virus:
A virus is a program that reproduces its own code by attaching itself to other executable files in such a way that the virus code is executed when the infected executable file is executed.
You could probably also say that the virus must do this without the permission or knowledge of the user, but that's not a vital distinction for purposes of our discussion here. We are using a broad definition of "executable file" and "attach" here.
An obvious example of an executable file would be a program (COM or EXE file) or an overlay or library file used by an EXE file. Less obvious, but just as critical, would be the macro portion of what you might generally consider to be a data file (e.g., a Microsoft Word document). It's important to also realize that the system sectors on either a hard or floppy disk contain executable code that can be infected--even those on a data disk. More recently, scripts written for Internet Web sites and/or included in E-mail can also be executed and infected.
To attach might mean physically adding to the end of a file, inserting into the middle of a file, or simply placing a pointer to a different location on the disk somewhere where the virus can find it.
Most viruses do their job by placing self-replicating code in other programs, so that when those other programs are executed, even more programs are infected with the self-replicating code. This self-replicating code, when triggered by some event, may do a potentially harmful act to your computer.
Another way of looking at viruses is to consider them to be programs written to create copies of themselves. These programs attach these copies onto host programs (infecting these programs). When one of these hosts is executed, the virus code (which was attached to the host) executes, and links copies of itself to even more hosts.
Similar to viruses, you can also find malicious code in Trojan Horses, worms, and logic bombs. Often the characteristics of both a virus and a worm can be found in the same beast; confusing the issue even further.
Note: The balance between viruses, worms, and Trojan Horses changes from time to time. In the early days of such malware viruses tended to dominate. Various macro viruses/worms appeared later as the dominate form and by around 2005 or so Trojan Horses started to be more prominent and by early 2008 they were, by far, the dominant malware.
Virus Behavior
Virus writers have to balance how and when their viruses infect against the possibility of being detected. Therefore, the spread of an infection may not be immediate.
Viruses need time to infect. Not all viruses attack, but all use system resources and often have bugs.
Viruses come in a great many different forms, but they all potentially have two phases to their execution, the infection phase and the attack phase.
Infection Phase
When the virus executes it has the potential to infect other programs. What's often not clearly understood is precisely when it will infect the other programs. Some viruses infect other programs each time they are executed; other viruses infect only upon a certain trigger. This trigger could be anything; a day or time, an external event on your PC, a counter within the virus, etc. Virus writers want their programs to spread as far as possible before anyone notices them.
It is a serious mistake to execute a program a few times - find nothing infected and presume there are no viruses in the program. You can never be sure the virus simply hasn't yet triggered its infection phase.
Many viruses go resident in the memory of your PC in the same or similar way as terminate and stay resident (TSR) programs. (For those not old enough to remember TSRs, they were programs that executed under DOS but stayed in memory instead of ending.) This means the virus can wait for some external event before it infects additional programs. The virus may silently lurk in memory waiting for you to access a diskette, copy a file, or execute a program, before it infects anything. This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use for their infection.
On older systems, standard (640K) memory is not the only memory vulnerable to viruses. It is possible to construct a virus which will locate itself in upper memory (the space between 640K and 1M) or in the High Memory Area (the small space between 1024K and 1088K). And, under Windows, a virus can effectively reside in any part of memory.
Resident viruses frequently take over portions of the system software on the PC to hide their existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet avoid detection.
Note that worms often take the opposite approach and spread as fast as possible. While this makes their detection virtually certain, it also has the effect of bringing down networks and denying access; one of the goals of many worms.
Attack Phase
Many viruses do unpleasant things such as deleting files or changing random data on your disk, simulating typos or merely slowing your PC down; some viruses do less harmful things such as playing music or creating messages or animation on your screen. Just as the infection phase can be triggered by some event, the attack phase also has its own trigger.
Does this mean a virus without an attack phase is benign? No. Many viruses have bugs in them and these bugs often cause unintended negative side effects. In addition, even if the virus is perfect, it still steals system resources. (Also, see the "good" virus discussion.)
Viruses often delay revealing their presence by launching their attack only after they have had ample opportunity to spread. This means the attack could be delayed for days, weeks, months, or even years after the initial infection.
The attack phase is optional, many viruses simply reproduce and have no trigger for an attack phase. Does this mean that these are "good" viruses? No! Anything that writes itself to your disk without your permission is stealing storage and CPU cycles. (Also see the "good" virus discussion.) This is made worse since viruses that "just infect," with no attack phase, often damage the programs or disks they infect. This is not an intentional act of the virus, but simply a result of the fact that many viruses contain extremely poor quality code.
An an example, one of the most common past viruses, Stoned, is not intentionally harmful. Unfortunately, the author did not anticipate the use of anything other than 360K floppy disks. The original virus tried to hide its own code in an area of 1.2MB diskettes that resulted in corruption of the entire diskette (this bug was fixed in later versions of the virus).
Number of Viruses
There were over 50,000 computer viruses in 2000 and that number was then and still is growing rapidly. Sophos, in a print ad in June 2005 claims "over 103,000 viruses." And, Symantec, in April 2008 is reported to have claimed the number is over one million. Fortunately, only a small percentage of these are circulating widely.
There are more MS-DOS/Windows viruses than all other types of viruses combined (by a large margin). Estimates of exactly how many there are vary widely and the number is constantly growing.
In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1,000 different viruses. In late 1992, estimates were ranging from 1,000 to 2,300 viruses. In mid-1994, the numbers vary from 4,500 to over 7,500 viruses. In 1996 the number climbed over 10,000. 1998 saw 20,000 and 2000 topped 50,000. It's easy to say there are more now. Indeed, in April 2008, the BBC reported that Symantec now claims "that the security firm's anti-virus programs detect to 1,122,311" viruses and that "almost two thirds of all malicious code threats currently detected were created during 2007."
The confusion exists partly because it's difficult to agree on how to count viruses. New viruses frequently arise from someone taking an existing virus that does something like put a message out on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck is a lie!". Is this a new virus? Most experts say yes. But, this is a trivial change that can be done in less than two minutes resulting in yet another "new" virus.
More confusion arises with some companies counting viruses+worms+Trojans as a unit and some not.
Another problem comes from viruses that try to conceal themselves from scanners by mutating. In other words, every time the virus infects another file, it will try to use a different version of itself. These viruses are known as polymorphic viruses.
One example, the Whale (an early, huge, clumsy 10,000 byte virus), creates 33 different versions of itself when it infects files. At least one vendor counted this as 33 different viruses on their list. Many of the large number of viruses known to exist have not been detected in the wild but probably exist only in someone's virus collection.
David M. Chess of IBM's High Integrity Computing Laboratory reported in the November 1991 Virus Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections that we see in day-to-day operation." In late 2007, about 580 different viruses, worms, and Trojans (and some of these are members of a single family) account for all the virus-related malware that actually spread in the wild. To keep track visit the Wildlist , a list which reports virus sightings.
How can there be so few viruses active when some experts report such high numbers? This is probably because most viruses are poorly written and cannot spread at all or cannot spread without betraying their presence. Although the actual number of viruses will probably continue to be hotly debated, what is clear is that the total number of viruses is increasing, although the active viruses not quite as rapidly as the numbers might suggest.
Summary
By number, there are well over 100,000 known computer viruses.
Only a small percentage of this total number account for those viruses found in the wild, however. Most exist only in collections.
Virus Names
A virus' name is generally assigned by the first researcher to encounter the beast. The problem is that multiple researchers may encounter a new virus in parallel which often results in multiple names.
What's in a name? When it comes to viruses it's a matter of identification to the general public. An anti-virus program does not really need the name of a virus as it identifies it by its characteristics. But, while giving a virus a name helps the public at large it also serves to confuse them since the names given to a particular beast can differ from anti-virus maker to anti-virus maker.
How? Why? Much as they would like to, the virus writers do not get to name their beasts. Some have tried by putting obvious text into the virus but most of the anti-virus companies tend to ignore such text (mostly to spite the virus writers ). And, any virus writer that insists on a particular name has to identify themselves in the process--something they usually don't want to do. So, the anti-virus companies control the virus naming process. But, that leads to the naming problem.
Viruses come into various anti-virus companies around the world at various times and by various means. Each company analyzes the virus and assigns a name to it for tracking purposes. While there is cooperation between companies when new viruses are identified, that cooperation often takes a back seat to getting a product update out the door so the anti-virus company's customers are protected. This delay allows alternate names to enter the market. Over time these are often standardized or, at least, cross-referenced in listings; but that does not help when the beast makes its first appearance.
This problem/confusion will continue. One practical and well documented example of how it affects a real-world virus listing can be seen at the WildList site on the page...
http://www.wildlist.org/naming.htm
One attempt at bringing some order to the naming problem is Ian Whalley's VGrep [registration required to view page]. VGrep attempts to collect all of the various virus names and then correlates them into a single searchable list. While useful, there is, again, the lag time necessary to collect and correlate the data.
So, get used to viruses having different names. As Shakespeare said...
What's in a name? That which we call a rose
By any other name would smell as sweet...
Another attempt is the database at VirusPool which "...tries to put information from all known infections and antivirus creators into one place so you can compare names and results." I wish them the best of luck.
A new site to try to correlate malware names: CME - Common Malware Enumeration. CME provides single, common identifiers to new virus threats to reduce public confusion during malware outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware.
Finally, some vendors have largely given up with naming specific malware and resorting to generic names for the type of malware (e.g., Troj/Agent). The malware is being generated faster than the naming system can reasonably keep up. Look for this to probably continue. Of course, this will then mean changes to the specific methods of disinfection as you would no longer be able to download a specific disinfector for a named beast. Time will tell how this develops.
Summary
Virus naming is a function of the anti-virus companies. This results in different names for new viruses.
Different names can cause confusion for the public but not anti-virus software which looks at the virus, not its "name."
There are different sites that attempt to correlate the various virus names for you.
How Serious are Viruses
While serious if you have one, viruses are only one way your data can be damaged. You must be prepared for all threats; many of which are more likely to strike than viruses.
It's important to keep viruses in perspective. There are many other threats to your programs and data that are much more likely to harm you than viruses. A well known anti-virus researcher once said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the growth in number of viruses, the introduction of the Microsoft Word macro viruses, VisualBasic Script worms, and socially-engineered Trojans now puts this statement into question (even though you can avoid these by just not clicking on them to open them!), it's still clear that there are many dangerous occurrences of data corruption from causes other than from viruses.
So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that it's foolish to spend much money and time on addressing the threat of viruses if you've done nothing about the other more likely threats to your files. Because viruses and worms are deliberately written to invade and possibly damage your PC, they are the most difficult threat to guard against. It's pretty easy to understand the threat that disk failure represents and what to do about it (although surprisingly few people even address this threat). The threat of viruses is really no different; lost concentration or a zero-day attack can give you the same kind of problem a lost hard drive can. There are no "cures" for the virus problem. One just has to take protective steps with anti-virus software and use common sense when dealing with unknown files and Web links.
Summary
While viruses are a serious threat, there are other, probably more serious, threats to your data.
If you have not taken precautions (e.g., regular backup) against general threats you have not properly protected your computer.
Good Viruses
The general consensus is that there are none.
By definition, viruses do not have to do something bad. An early (and current) virus researcher, Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.
Most researchers, however, take the other side and argue that the use of self-replicating programs are never necessary; the task that needs to be performed can just as easily be done without the replication function.
Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR conference, titled Are "Good" Computer Viruses Still a Bad Idea?. The paper covers all aspects of the topic. As of this writing, the paper is available at:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Lest you think others have not been thinking about this, here are some of the proposals (from the above-referenced paper) for a good virus that have not worked out:
The "Anti-Virus" Virus. Several people have had the idea to develop an "anti-virus" virus; a virus which would be able to locate other (presumably malicious) computer viruses and remove them.
The "File Compressor" Virus. This is one of the oldest ideas for "beneficial" viruses. The idea consists of creating a self-replicating program, which will compress the files it infects, before attaching itself to them.
The "Disk Encryptor" Virus. This virus has been published. The idea is to write a boot sector virus, which encrypts the disks it infects with a strong encryption algorithm (IDEA in this particular case) and a user-supplied password to ensure the privacy of the user's data.
The "Maintenance" Virus. The idea consists of a self-contained program, which spawns copies of itself across the different machines in a network (thus acting more like a worm) and performing some maintenance tasks on those machines (like deleting temporary files).
All of the above viruses fail one or more of the standard measures typically used to judge if a virus is "good" or not. These are (again, from the above-referenced paper):
Technical Reasons
Lack of Control. Once released, the person who has released a computer virus has no control on how this virus will spread.
Recognition Difficulty. In general it is not always possible to distinguish between a virus and a non-virus program. There is no reason to think that distinguishing between "good" and "bad" viruses will be much easier. Many people are relying on generic anti-virus defenses (e.g., activity monitoring and/or integrity checking) which will trigger a response to changes.
Resource Wasting. A computer virus eats up disk space, CPU time, and memory resources during its replication.
Bug Containment. A computer virus can easily escape a controlled environment.
Compatibility Problems. A computer virus that attaches itself to user programs would disable several programs on the market that perform a checksum on themselves at runtime.
Ethical and Legal Reasons
Unauthorized Data Modification. It is usually considered unethical to modify other people's data without their authorization. In many countries this is also illegal.
Copyright and Ownership Problems. In many cases, modifying a particular program could mean that copyright, ownership, or at least technical support rights for this program are voided.
Possible Misuse. An attacker could use a "good" virus as a means of transportation to penetrate a system.
Responsibility. Declaring some viruses as "good" and "beneficial" would just provide an excuse to the crowd of irresponsible virus writers to condone their activities and to claim that they are actually doing some kind of "research."
Psychological Reasons
Trust Problems. Users like to think that they have full control on what is happening in their machine.
Negative Common Meaning. For most people, the word "computer virus" is already loaded with negative meaning.
Summary
While frequently discussed, the general consensus is that there is no task that requires a virus.
Why Do People Write Viruses?
There are many reasons from simple boredom to criminal activity for making money.
Back in the dim mists of time, most virus writers were people who just wanted to test the system and push the envelope. They delighted in finding a way to insert their code into places where others might not find it and held contests of sorts to see who could do what the fastest during various conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The Brain virus, for example, was said to have been written to punish users of illegal copies of software (software pirates). Users could become legitimate by contacting Brain Computer Services for help.
The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:
The innocent users would be much less affected if they bought all the software they used (and from an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If somebody instead of working plays pirated computer games all day long, then it's quite likely that at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent users' did not steal software, and if they worked a bit more at the workplace, instead of playing games.
With the advent of virus writing kits more people entered into the picture. These were largely the bored who had too much time on their hands and decided to spend it making and distributing viruses just for the heck of it. Many of these people could not actually program one if they had to; they just used the kits and put in different parameters and then sent whatever came out on their way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused them great problems) mentioned somewhere.
This sort of activity expanded as the virus and worm and Trojan world expanded and script worms became common. Indeed, the term "script kiddie " was more or less coined during this time to indicate someone who would just take an existing script worm, modify a small part of it, and then release that as a "new" worm.
As spyware and adware started to appear motives started to change. Money started to enter into the picture.
First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a central command to do something, maybe crash the system(s) they were installed on. Then, the botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could use the botnets to make the infected computers send out spam. Since spammers would pay to send out spam money started to enter into the equation. The botnets were sending out messages based on the infected users computers' stored address lists so the spammers had an automatic source of valid E-mail addresses and a possible way to get through blacklists because they could put the infected user's return address on the E-mail and the receiver might very well have that user whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect users and then sent out in the spam so the new users would not only get spam but if they responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer holes made this form of malware even easier to send to and infect others who might not have updated their computer system recently. The use of social engineering to make these message appear "real" increased so the clickthroughs increased.
The malware sent evolved as well. Newer malware tended toward collecting information from systems instead of crashing them or destroying data. This stolen data became even more valuable to criminals than just the fact that spam was getting through. Identity theft based on the stolen information increased as the attacks became more targeted.
Some of this malware is designed to target specific banks in specific countries and is quite professional looking. And, it's not limited to crimes of identity theft for banking purposes; some malware targets the massively multiplayer on-line games. Why target games? Because once you steal someone's credentials in such a game you can pretend to be that person and sell virtual items to other players. The games have become so popular that virtual items are going for large prices (a virtual space station went for $100,000 if you can believe that). Of course, the person doing the buying is getting scammed and the person who's credentials have been stolen gets the blame. The criminal, meanwhile, walks with the money.
Rootkit installation to do the data collection is one of the newer threats and promises to increase the revenue of the criminal groups behind some of the latest attacks.
Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to do that efficiently and anonymously and that's exactly what P2P networks do.
Summary
The first malware came from people who basically wanted to push the envelope with the system at hand.
Later malware came from so-called script kiddies who took advantage of other people's work in order to flood cyberspace with their creations.
Botnets were created and their potential to raise money brought other elements into the malware game.
Eventually, criminal groups started to generate the malware in order to make more money for their activities and can be expected to continue for the purpose of moving information.
Hardware Threats
Hardware is a common cause of data problems. Power can fail, electronics age, add-in boards can be installed wrong, you can mistype, there are accidents of all kinds, a repair technician can actually cause problems, and magnets you don't know are there can damage disks.
Hardware problems are all too common. We all know that when a PC or disk gets old, it might start acting erratically and damage some data before it totally dies. Unfortunately, hardware errors frequently damage data on even young PCs and disks. Here are some examples.
Power Faults
Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe so, maybe not; it's vital to know for sure if anything was damaged.
Other power problems of a similar nature would include brownouts, voltage spikes, and frequency shifts. All can cause data problems, particularly if they occur when data is being written to disk (data in memory generally does not get corrupted by power problems; it just gets erased if the problems are serious enough).
Brownout: Lower voltages at electrical outlets. Usually they are caused by an extraordinary drain on the power system. Frequently you will see a brownout during a heat wave when more people than normal have air conditioners on full. Sometimes these power shortages will be "rolling" across the area giving everyone a temporary brownout. Maybe you'll get yours just as that important file is being written to disk.
Voltage Spikes: Temporary voltage increases are fairly common. Large motors or circuit breakers in industry can put them on the electrical line. Sudden losses (e.g., a driver hits a power pole) can causes spikes as the circuits balance. An appliance in your home can cause a spike, particularly with older wiring. Lightning can put large spikes on power lines. And, the list goes on. In addition to current backups and integrity information for your software and data files, including a hardware voltage spike protection device between the wall and your computer hardware (don't forget the printer and monitor) can be very helpful.
Frequency Shifts: While infrequent, if the line frequency varies from the normal 60 Hertz (or 50 Hertz in some countries), the power supply on the computer can be affected and this, in turn, can reflect back into the computer causing data loss.
Solution: Consider a combined surge protector and uninterruptible power supply.
Age
It's not magic; as computers age they tend to fail more often. Electronic components are stressed over time as they heat up and cool down. Mechanical components simply wear out. Some of these failures will be dramatic; something will just stop working. Some, however, can be slow and not obvious. Regrettably, it's not a question of "if", but "when" in regard to equipment failure.
Solution: Keep an eye on the specials after three to five years.
Incompatibilities
You can have hardware problems on a perfectly healthy PC if you have devices installed that do not properly share interrupts. Sometimes problems are immediately obvious, other times they are subtle and depend upon certain events to happen at just the wrong time, then suddenly strange things happen! (Software can do this too!)
Solution: Make a really good backup before installing anything (hardware or software) so you can revert the system back to a stable state should something crop up.
Finger Faults
(Typos and "OOPS! I didn't mean to do that!")
These are an all too frequent cause of data corruption. This commonly happens when you are intending to delete or replace one file but actually get another. By using wild cards, you may experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files; but they're still here; something was deleted; what was it? Or was I in the other directory?" Of course if you're a programmer or if you use sophisticated tools like a sector editor, then your fingers can really get you into trouble!
Another finger fault problem arises with touchpads below the space bar on notebook computers. It's very easy to brush the touchpad when you are typing away and suddenly find yourself entering characters in a screen location very different from where you were before you touched the pad.
Solution: Be careful and look up now and again to make certain your cursor is where you want it.
Malicious or Careless Damage
Someone may accidentally or deliberately delete or change a file on your PC when you're not around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of this type of damage is done unintentionally by someone you probably know. This person didn't mean to cause trouble; they simply didn't know what they were doing when they used your PC.
Solution: Never run the computer as an administrative user and have guest accounts available for others who use the computer. Keep up-to-date backups as well.
Typhoid Mary
One possible source for computer infections is the Customer Engineer (CE), or repairman. When a CE comes for a service call, they will almost always run a diagnostic program from diskette. It's very easy for these diskettes to become infected and spread the infection to your computer. Sales representatives showing demonstrations via floppy disks are also possibly spreading viruses. Always check your system after other people have placed their floppy disk into it. (Better yet, if you can, check their disk with up-to-date anti-virus software before anything is run.)
Solution: Insist on testing their disk before use or make certain they've used an up-to-date anti-virus before coming to your location.
Magnetic Zaps
Computer data is generally stored as a series of magnetic changes on disks. While hard disks are generally safe from most magnetic threats because they are encased within the computer compartment, floppy disks are highly vulnerable to magnets. The obvious threat would be to post a floppy disk to the refrigerator with a magnet; but there are many other, more subtle, threats.
Some of the more subtle sources of magnetism include:
Computer Monitor. Don't put floppy disks anywhere near the monitor; it generates a magnetic field.
Telephone. When ringing, telephones (particularly older phones with a bell) generate a magnetic field.
Bottom Desk Drawer. While the desk drawer does not generate a magnetic field, the vacuum cleaner that the maintenance people slide under the desk to clean the floor does.
Bottom Bookcase Shelf and File Cabinet Drawer. Same comment as the desk drawer just above.
Pets. Pet fur generates a strong electrostatic charge which, if discharged through a disk, can affect files on the disk. Instead of "The dog ate my homework," today it could just as easily be: "The cat sat on my homework." (I once had a student where this exact problem happened; a cat sat on her floppy disk and static wiped out the data on the disk.)
Solution: Stay away from magnets or sources of static of all kinds when working with a computer.
Bottom line: There are tools to assist in recovery from disk problems, but how do you know all the data is OK? These tools do not always recover good copies of the original files. Active action on your part before disaster strikes is your best defense. It's best to have a good, current backup and, for better protection, a complete up-to-date integrity-check map of everything on your disk.
Summary
There are many different kinds of hardware threats to your data. Some include:
Power faults
Age
Equipment incompatibilities
Typos
Accidental or deliberate damage
The Customer Engineer or friendly salesperson
Problems with magnets and/or sources of static electricity
• Active action on your part can help you identify problems and, perhaps, head them off early.
Software Threats
Software interactions are a significant source of problems; but these are inadvertent. Software attacks are deliberate and can also be significant.
Software threats can be general problems or an attack by one or more types of malicious programs.
Software Problems
This category accounts for more damage to programs and data than any other. We're talking about non-malicious software problems here, not viruses. Software conflicts, by themselves, are much more likely threats to your PC than virus attacks (unless you do something like click on a link you should not have or install unknown/cracked software).
We run our PCs today in a complex environment. There are many resident programs (e.g., anti-virus, video drivers) running simultaneously with various versions of Windows, DOS, BIOS, and device drivers. All these programs execute at the same time, share data, and are vulnerable to unforeseen interactions between each other. Naturally, this means that there may be some subtle bugs waiting to "byte" us. Any time a program goes haywire, there's the risk it may damage information on disk.
There's the further problem that not all programs do what we hope they will. If you have just undeleted a file, you don't really know if all the correct clusters were placed back in the right order. When SCANDISK or CHKDSK "fixes" your disk for you, you have no way of knowing exactly what files it changed to do its job. It becomes even more complex if you use other utilities to do similar tasks.
Software problems happen and can be very serious if you have not taken appropriate action in advance of the problem.
Software Attacks
These are programs written deliberately to vandalize someone's computer or to use that computer in an unauthorized way. There are many forms of malicious software; sometimes the media refers to all malicious software as viruses. This is not correct and it's important to understand the distinction between the various types as it has some bearing on how you react to the attack. The discussions that follow attempt to make clear distinctions between malicious software types. Realize that often a malicious program may have characteristics of more than one of these types (e.g., a virus that attacks files but also spreads itself across a network). Don't get wrapped up in the semantics, just try to understand the major differences.
In addition to viruses, the main thrust of this tutorial, there are:
Logic Bombs. Just like a real bomb, a logic bomb will lie dormant until triggered by some event.
Trojans. These are named after the Trojan horse, which delivered Greek soldiers into the city of Troy.
Worms. A worm is a self-reproducing program that does not infect other programs as a virus will, but instead creates copies of itself, that create even more copies.
Finally, a type of malicious software that could be classified under Trojan but we've put on a page of its own as a special case:
Virus Droppers. A dropper is a program that, when run will attempt to install a regular virus onto your hard disk.
Summary
Non-malicious software problems can be a significant source of problems and one should always know their computer's exact configuration to be prepared.
Malicious software falls into several general categories:
Logic bombs
Trojans
Worms
Viruses
Logic Bombs
A logic bomb will lie dormant until triggered by some event.
Just like a real bomb, a logic bomb will lie dormant until triggered by some event. The trigger can be a specific date, the number of times executed, a random number, or even a specific event such as deletion of an employee's payroll record.
When the logic bomb is triggered, it will usually do something unpleasant. This can range from changing a random byte of data somewhere on your disk to making the entire disk unreadable. Changing random data may be the most insidious attack since it generally causes substantial damage before anyone notices that something is wrong. It's vital to have software in place that quickly detects such damage.
Although you can detect it after the fact, there is unfortunately no way to prevent a well written logic bomb from damaging your system. This is one reason (among many) that having good backups of important data is so important.
If you've had someone in to do any system work on your computer (e.g., custom programming) it's particularly important that you independently verify the work was done correctly and to verify no trap doors or logic bombs were inserted into your systems. Work like custom programming require programmers to have detailed access to your systems; just the kind of access someone who wanted to insert a logic bomb into your system would love to have. (This is not to say independent contractors are worse than any other person who has low-level access to your systems; it's just one obvious example.) And, with today's remote desktop built into Windows; it's even easier to give such control over to a support person at some remote software vendor's location or someone posing as such.
Some historic logic bombs include...
In 1982, the CIA was tipped to a plan to steal control system plans from a Canadian firm for use in the Trans-Siberian pipeline. They had the company insert a logic bomb which resulted in a large explosion when triggered.
In June 1992 a defense contractor employee was arrested for inserting a logic bomb into a rocket project. Supposedly his plan was to come back as a consultant and "solve" the problem for a large fee.
In February 2000 a programmer was indicted before a grand jury; accused of planting a logic bomb at Deutsche Morgan Grenfell. It was planted in 1996 and supposed to trigger in mid-2000 but was discovered before it went off.
In October 2003 a Unix administrator changed code on a server at Medco Health Solutions Inc. that was supposed to go off on his birthday in 2004. An error caused it to fail so he wrote another for the next year but it was discovered before it could go off.
In June 2006 a system administrator for UBS was charged with using a logic bomb to commit securities fraud. He was convicted.
On 29 January 2009 it was reported that a Fannie Mae contractor who had been let go managed to insert a script designed to execute on 31 January 2009 in to the Fannie Mae system. Apparently, the contractor was allowed to keep his access and computer for a short time after he was notified of the termination (a major error on the part of Fannie Mae IT/security). The script, found before it executed, would have wiped clean some 4,000 servers.
Summary
A logic bomb is one reason among many for having good backups of important data.
Virus Droppers
A dropper is a program that, when run will attempt to install a regular virus onto your hard disk.
Normally, you obtain a virus by either attempting to boot from an infected floppy disk, by running an infected file, or by loading an infected document with viral macro commands in it. There is another way you can pick up a virus: by encountering a virus dropper. These are rare, but now and again someone will attempt to be clever and try to program one.
Basically, a dropper is just what the name implies: a program designed to run and install (or "drop") a virus onto your system. The program itself is not infected nor is it a virus because it does not replicate. So, technically, a dropper should be considered a Trojan. Often, because the virus is hidden in the program code, a scanner will not detect the danger until after the virus is dropped onto your system. (It's technically possible to write a virus that also drops other viruses, and several have been tried. Most are very buggy, however.)
It's a technical point, but there is a class of dropper that only infects the computer's memory, not the disk. These are given the name injector by some virus researchers.
A dropper is a program (malware component) that has been designed to "install" some sort of malware (virus, backdoor, etc) to a target system. The malware code can be contained within the dropper (single-stage) in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated (two stage).
There are two major types of droppers, those that do not require user interaction which perform through the exploitation of a system by some vulnerability and those that require user interaction by convincing the user that it is some legitimate or benign program. A dropper which installs a malware program to memory only is sometimes called an injector.
Summary
A Trojan program that installs a virus onto your system is called a dropper.
Fortunately, because of technical difficulties, droppers are hard to program and therefore rare.
Trojans
Like the horse, a Trojan program is a delivery vehicle; a program that does something undocumented and often malicious.
These malicious programs are named after the Trojan horse, which delivered soldiers into the city of Troy.
Like the horse, a Trojan program is a delivery vehicle; a program that does something undocumented which the programmer intended, but that the user would not approve of if s/he knew about it. The Trojan program appears to be a useful program of some type, but when a certain event occurs, it does something nasty and often destructive to the system.
Most of the "classic" Trojan programs were delivered to users on disks which advertised themselves as something useful. As an example, a disk that was supposed to contain Aids information was once distributed. Unfortunately, when a program on the disk was run the user's hard disk was encrypted and rendered useless. Many newer Trojan programs make their way to you as E-mail attachments with the text in the E-mail program enticing you to run the attachment.
There have been many Trojan programs and new ones crop up every day. It's important to know and trust the source of any program you receive because most anti-virus programs can't detect new Trojans. These programs, while potentially destructive, still use common DOS/Windows commands and any attempt to trigger an alert on these commands would result in massive false alarms.
Most anti-virus programs today include Trojans as soon as they are circulating as Trojans make up much of the malware in 2005/2006; but it may still be too late for you as it takes some time to update their databases. Trojans are, however, simple to avoid if you don't sucumb to the lures of the E-mails that send them to you.
Just to give you some examples of what sort of thing to watch out for, here are some Trojan examples, some historical and some recent. Brief descriptions are given here with more detail is available in the link.
ANSI Bomb. (rare today). This sort of Trojan used the ANSI.SYS driver in DOS to remap various display and keyboard functions.
Windows Help Macros. (rare but demonstrated). The Windows HLP help file format allowed macros to be attached to help files. The macros could contain malicious code.
Social Engineering Messages. A wide variety of Trojans use social engineering to attempt to get you to run the malware associated with the message.
Double File Extensions. Windows generally comes with the display of common file extensions turned off by default. Files of the form README.TXT.EXE would show up as README.TXT but if you clicked on the file it would run as a program.
Screen Savers. Windows screen savers are basically executable code and malicious software in one can run in the background during the display.
Road Apple. A Trojan may be given a name the curious would naturally be interested in and then left where the curious can find it.
Physical Media. A Trojan could be widely distributed using physical media sent to many around the world. The subject would have to be compelling (an AIDS Trojan distributed via CD is one example that has happened).
And, many more. See Wikipedia for more examples.
Some researchers consider a virus a particular case of a Trojan horse; others believe that if a virus does not do any deliberate damage it cannot be classed as a Trojan. In common use, most people (including Computer Knowledge) use Trojan to refer to a non-replicating malicious program.
Summary
A Trojan is a delivery vehicle.
The Trojan can carry a malicious payload or drop other malicious software onto your system.
Trojans often are delivered using social engineering methods.
Worm
A worm is a self-reproducing program that does not infect other programs as a virus will.
A worm is a self-reproducing program that does not infect other programs as a virus will, but instead creates copies of itself, and these create even more copies.
Worms are usually seen on networks and on multi-processing operating systems, where the worm will create copies of itself that are also executed. Each new copy will create more copies quickly clogging the system. Keep in mind, however, that most PCs are connected to a network (the Internet) and so are targets for worms.
The so-called ARPANET/INTERNET "virus" was actually a worm. It created copies of itself through the network, eventually bringing the network to its knees. It did not infect other programs as a virus would, but simply kept creating copies of itself that would then execute and try to spread to other machines.
Some newer macro viruses also send their infected documents over the Internet to others who then infect their systems and spread the virus further. Some have classed these as worms. However, because these programs require a host in order to spread (even though they send themselves and the host over a network) Computer Knowledge (and most anti-virus researchers) puts these beasts into the virus category. But, you can see where distinctions between categories can get blurred.
The newer script worms don't help clarify the classification issue. Many of these are sent as a VisualBasic Script (VBS) file attached to an E-mail message. If you click on the attachment to open it the script runs and will often send the script to addresses in your E-mail address book; thus spreading itself. Technically, these would be worms but are often called viruses.
Bottom line: Don't really try to make a firm distinction between a worm and a virus. You'll just get frustrated. Call it a virus and be done with it but understand, deep down, that it just might be a worm.
Summary
A worm is a self-reproducing program.
They usually spread via networks but remembers most PCs are connected to a network (the Internet).
New Thesis
o Computer Virus Basics
o What Computer Viruses Infect
o Types of Computer Viruses
o Ways to Catch a Computer Virus
o Symptoms of a Computer Virus
o If You Get a Computer Virus
o Safe Computing Practices
This tutorial provides basic information about computer viruses. It explains what viruses are, what they infect, types of viruses, and ways to catch a virus. Information about symptoms of a virus, what to do if you get a a virus, and safe computing practices are given.
Computer Virus Basics
A computer virus is created when a programmer creates computer code that has the capability to replicate itself, hide, watch for a certain event to occur, and/or deliver a destructive or prankish payload on a disk or in a computer program. Viruses can attach themselves to just about any type of file and are spread as infected files are used by other computers. Some viruses are relatively harmless, while others are very devastating. They can destroy files, software, program applications, and cause the loss of data.
New computer viruses are constantly being created by malicious programmers. Because of this, it is vital to keep anti-virus software on computers up-to-date. Some anti-virus software programs allow users to set them to silently check for updates whenever users are connected to the Internet. Others remind users to periodically check for updates.
Worms and Trojans are closely related to viruses. A worm makes copies of itself on a computer, rather than infecting other files like viruses. A Trojan is a program that secretly installs itself on a computer and opens a back door to the computer so that malicious attacks can be remotely controlled. The actual Trojan is usually not damaging at first, but it is usually accompanied by other damaging programs.
To protect your home computer against computer viruses, worms, and trojans, you should invest in anti-virus software, such as the software offered by Norton or McAfee. You should also make sure it stays up-to-date. Virus protection software on school computers is regularly updated by the school system network technicians.
What Computer Viruses Infect
Viruses can enter computers in many ways. Once a virus has entered a system, it will generally hide until it is unknowingly run by the user. A virus will not act until it has been run or some pre-established condition has been met, such as a specific date. The effects of a virus may not be noticed for some time after it has infected a computer.
Viruses can infect several components of a computer's operating and file system including:
• System Sectors/Boot Records - Viruses can infect the parts of the system that are used to run programs and perform functions such as start up and shut down.
• Files - Viruses can infect program files. These viruses stick to program files such as .com, .exe, .sys, etc. Some viruses hide in the memory of the computer at first, while others simply attack a specific software program, such as Microsoft Word.
• Companion Files - Viruses can create companion files that are a special type of file that adds files that run on the hard disk.
• Macros - Viruses can infect macro or data files.
• Disk Clusters - Viruses can infect files through the disk directory.
• Batch Files - Viruses can use batch files to infect a computer.
• Source Code - Viruses can be in additional code that is added to actual program source code.
• Visual Basic Worms - These worms use the Visual Basic programming language to control a computer and perform tasks.
Types of Computer Viruses
Viruses are categorized by how they infect computers. Some viruses fall into more than one of these categories.
Types of viruses include:
• Polymorphic Viruses - Polymorphic viruses change characteristics as they infect a computer.
• Stealth Viruses - Stealth viruses actively try to hide themselves from anti-virus and system software.
• Fast and Slow Infectors - Fast and Slow viruses infect a computer in a particular way to try to avoid being detected by anti-virus software.
• Sparse Infectors - Sparse Infectors don't infect very often.
• Armored Viruses - Armored viruses are programmed to make eradication difficult.
• Multipartite Viruses - Multipartite Viruses are viruses that may fall into more than one of these categories.
• Cavity (Spacefiller) Viruses - Cavity (Spacefiller) viruses attempt to maintain a constant file size when infecting a computer in order to try to avoid detection.
• Tunneling Viruses - Tunneling viruses try to "tunnel" under anti-virus software while infecting.
• Camouflage Viruses - Camouflage viruses attempt to appear as a benign program.
• Virus Droppers - Virus Droppers are a special category of programs that place viruses on computers but are not by themselves an actual virus.
Ways to Catch a Computer Virus
There are several ways to catch a computer virus:
• From Floppy Disks - Be very careful about putting a floppy disk that has been in another computer in your computer, even if it is from a trusted source.
• From the Internet - Viruses can be attached to various types of Internet files, such as graphics and program files that people download from the Internet. Just browsing the Internet does not put your computer at risk. You have to download and install a file for a virus to be able to infect a computer.
• From E-Mail - Viruses often travel via e-mail attachments. E-mail messages by themselves do not carry viruses. Only .exe, .com or other types of executable files can carry a virus.
• From a Computer Network - Computer Networks are groups of computers linked together by a large computer called a server. The server and these computers constantly share information. If one file that is used by several network users becomes infected with a virus, the virus will quickly spread to the other users.
Symptoms of a Computer Virus
The following are some possible indications that a computer has been infected by a virus. These problems can also be caused by non-virus problems, but they are the most reported symptoms of a computer virus infection.
• Computer programs take longer to load than normal.
• The computer's hard drive constantly runs out of free space.
• The floppy disk drive or hard drive runs when you are not using it.
• New files keep appearing on the system and you don't know where they came from.
• Strange sounds or beeping noises come from the computer or keyboard.
• Strange graphics are displayed on your computer monitor.
• Files have strange names you don't recognize.
• You are unable to access the hard drive when booting from the floppy drive.
• Program sizes keep changing.
• Conventional memory is less than it used to be and you can't explain it.
• Programs act erratically.
If You Get a Computer Virus
At school:
• If you are on a school computer, contact your school tech leader or submit a request to computer support, immediately.
At home:
• If you do not have an anti-virus program, get one immediately. Many anti-virus programs can be downloaded from the Internet.
• Install the latest virus updates available for your anti-virus software. (Generally, you can get these updates at the anti-virus program web site.) Then run the anti-virus software to identify the virus. Most software will ask users to choose whether to clean the virus, delete the file, or ignore it when a virus is found.
• After getting rid of a virus, run your anti-virus software again to make sure the virus has been eradicated.
• Find an Internet web site that contains descriptions of viruses and search for information about the virus you have found on your computer.
• If you get an e-mail virus, contact everyone in your address book and tell them to be on the lookout for suspicious e-mails and attachments. Do not send any e-mails until you are sure the virus has been cleaned from your computer.
Safe Computing Practices
There are several things you can do the help protect your computer against viruses:
• Anti-Virus Software - If you don't have an anti-virus software program, invest in one.
• Scan Your Computer on a Regular Basis - Scan you system with anti-virus software regularly.
• Update Your Anti-Virus Software on a Regular Basis - Keep your anti-virus software up to date. Do this at least weekly and more often if there are news reports of a new virus threat.
• Backup - Backup your files on a regular basis. Always maintain copies of files you can't do without, just in case your computer gets infected and crashes.
• Turn off E-Mail Preview - Turn off the preview function if your e-mail software has one.
• Scan Floppy Disks - Scan floppy disks from other computers with anti-virus software before you use the disk. Simply place the disk in your floppy drive and run the anti-virus software program. If a virus is found, most programs will give you several choices about what to do, such as removing the virus, doing nothing, or deleting the file that contains the virus.
• Protect Your Floppy Disks - Write-protect any floppy disk you place into another computer. If the other computer has a boot sector virus, the write-protect on the disk will prevent it from becoming infected with the virus.
• Scan Downloaded Files - Scan downloaded Internet files with anti-virus software before you use or run them.
• Scan All E-Mail Attachments - If you receive an attachment you need to view, scan it with anti-virus software before you open it.
• Beware of E-Mail Attachments from Unknown Sources - If you receive an unexpected attachment from an unknown source, delete it. Never open attachments for files that end in .vbs (Visual Basic Script) or .js (Java Script). Viruses often travel in these types of files.
• Be Alert - Pay attention to news about virus alerts. You might want to subscribe to a virus alert e-mail notice from one of the anti-virus software makers.
No comments:
Post a Comment