Monday, March 19, 2007

How Viruses Work

There are tens of thousands of viruses out there, and new ones are discovered every day. It is difficult to come up with a generic explanation of how viruses work, since they all have variations in the way they infect or the way they spread. So instead, we’ve taken some broad categories that are commonly used to describe various types of virus.

Basics Types of Viruses (How They Work)
File Viruses (Parasitic Viruses)
File viruses are pieces of code that attach themselves to executable files, driver files or compressed files, and are activated when the host program is run. After activation, the virus may spread itself by attaching itself to other programs in the system, and also carry out the malevolent activity it was programmed for. Most file viruses spread by loading themselves in system memory and looking for any other programs located on the drive. If it finds one, it modifies the program’s code so that it contains and activates the virus the next time it’s run. It keeps doing this over and over until it spreads across the system, and possibly to other systems that the infected program may be shared with.
Besides spreading themselves, these viruses also carry some type of destructive constituent that can be activated immediately or by a particular ‘trigger’. The trigger could be a specific date, or the number of times the virus has been replicated, or anything equally trivial. Some examples of file viruses are Randex, Meve and MrKlunky.
Boot Sector Viruses
A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all information about the drive is stored, along with a program that makes it possible for the operating system to boot up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which eventually stopped such viruses from spreading. Though boot viruses still exist, they are rare compared to new-age malicious software. Another reason why they’re not so prevalent is that operating systems today protect the boot sector, which makes it difficult for them to thrive. Examples of boot viruses are Polyboot.B and AntiEXE.




Multipartite Viruses
Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the virus infects executable files on the hard drive and spreads across the system.
There aren’t too many multipartite viruses in existence today, but in their heyday, they accounted for some major problems due to their capacity to combine different infection techniques. A significantly famous multipartite virus is Ywinz.
Macro Viruses
Macro viruses infect files that are created using certain applications or programs that contain macros. These include Mic*ft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations, Access databases, and other similar application files such as Corel Draw, AmiPro, etc. Since macro viruses are written in the language of the application, and not in that of the operating system, they are known to be platform-independent—they can spread between Windows, Mac, and any other system, so long as they’re running the required application. With the ever-increasing capabilities of macro languages in applications, and the possibility of infections spreading over net-works, these viruses are major threats.
The first macro virus was written for Mic*ft Word and was discovered back in August 1995. Today, there are thousands of macro viruses in existence—some examples are Relax, Melissa.A and Bablas.
Network Viruses
This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet. Usually, it propagates through shared resources, such as shared drives and folders. Once it infects a new system, it searches for potential targets by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus infects the other system, and thus spreads over the network. Some of the most notorious network viruses are Nimda and SQLSlammer.
E-mail Viruses
An e-mail virus could be a form of a macro virus that spreads itself to all the contacts located in the host’s email address book. If any of the e-mail recipients open the attachment of the infected mail, It spreads to the new host’s address book contacts, and then proceeds to send itself to all those contacts as well. These days, e-mail viruses can infect hosts even if the infected e-mail is previewed in a mail client. One of the most common and destructive e-mail viruses is the ILOVEYOU virus.
There are many ways in which a virus can infect or stay dormant on your PC. However, whether active or dormant, it’s dangerous to let one loose on your system, and should be dealt with immediately.



Other Malicious Software
Earlier, the only way a computer was at risk was when you insert-ed an infected floppy. With the new age of technology, every computer is interconnected to the rest of the world at some point or the other, so it’s difficult to pinpoint the source and/or time of the infection. As if that weren’t bad enough, new-age computing has also brought about a new breed of malicious software. Today, the term ‘virus’ has become a generic term used for all the different ways that your computer can be attacked by malicious software. Besides the type of viruses we mentioned here’s a look at some of the newer problems we face today.
Trojan Horses
The biggest difference between a Trojan horse—or Trojan—and a virus is that Trojans don’t spread themselves. Trojan horses disguise themselves as useful software available for down-load on the Internet, and naïve users download and run them only to realise their mistake later.
A Trojan horse is usually divided into two parts—a server and a client. It’s the client that is cunningly disguised as important soft-ware and placed in peer-to-peer file sharing networks, or unofficial download sites. Once the client runs on your system, the attacker—the person running the server—has a high level of control over your system, which can lead to devastating effects depending on the attacker’s intentions. Trojan horses have evolved to a tremendous level of sophistication, which makes each one significantly different from the other.
We have categorized them roughly into the following:
Remote Access Trojans
These are the most commonly available Trojans. These give an attacker complete control over the victim’s computers. The attacker can go through the files and access any personal information about the user that may be stored in the files, such as credit card numbers, passwords, and important financial documents.
Password-sending Trojans
The purpose of such Trojans is to copy all cached passwords and look for other passwords as you enter them, and send them to specific mail address, without the user’s knowledge. Passwords for restricted Web sites, messaging services, FTP services and e-mail services come under direct threat with this kind of Trojan.
Keyloggers
These log victims’ keystrokes and then send the Logs to the attacker. The attacker then searches for passwords or other sensitive data in the log files. Most of them come with two functions, such as online and offline recording. Of course, they can be configured to send the log file to a specific-mail address on a daily basis


Destructive
The only function of these Trojans is to destroy and delete files. They can
automatically delete all the core system files on your machine. The Trojan could be
Controlled by the attacker or could be programmed to strike like logic bomb-starting on a specific day or at specific hour.
Denial of Service (DoS) Attack Trojans
The main idea behind this kind of Trojan is to generate a lot of Net traffic on the victim’s machine, to the extent that the Internet connection is too overloaded to let the user visit a Web site or download any-thing. Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail addresses with random subjects and contents that cannot be filtered.
Proxy/Wingate Trojans
These types of Trojan turn the victim’s computer into a proxy/wingate server. That way, the infected computer is available to the whole world to be used for anonymous access to various risky Internet services. The attacker can register domains or access pornographic Web sites with stolen credit cards or do similar illegal activities without being traced.
FTP Trojans
These trojans are probably the most simple, and are outdated. The only thing they do is open port 21—the port for FTP transfers—and let everyone connect to your machine. Newer versions are password-protected, so only the attacker can connect to your computer.
Software Detection Killers
These trojans kill popular antivirus/firewall programs that protect your machine to give the attacker access to the victim’s machine. A trojan could have any one or a combination of the above mentioned functionalities.
Worms
Computer Worms are programs that reproduce and run independently, and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own accord through network connections. The security threat of worms is equivalent to that of a virus. Worms are capable of doing a whole range of damage such as destroying essential files in your system, slowing it down to a great extent, or even causing some essential programs to crash. Two famous examples of worms are the MS-Blaster and Sesser worms.



Spyware
Spyware is the new-age term for advertising-supported software (Adware). Advertising in shareware products is a way for shareware authors to make money, other than by selling it to the user. There are several large media companies that offer to place banner ads in their products in exchange for a portion of the revenue from banner sales. If the user finds the banners annoying, there is usually an option to get rid of them by paying the licensing fee.
Unfortunately, the advertising companies often also install additional tracking software on your system, which is continuously using your Internet connection to send statistical data back to the advertisers. While the privacy policies of the companies claim there will be no sensitive or identifying data collected from your system and that you shall remain anonymous, the fact remains that you have a server sitting on your PC that is sending information about you and your surfing habits to a remote location, using your bandwidth.
Spyware has been known to slow down computers with their semi-intensive usage of processing power, bringing up annoying pop-up windows at the most inappropriate times and changing your Internet browsing settings such as your home page or default search engine to their own services.
Even if many do not consider this illegal, it is still is a major security threat, and the fact that there’s no way to get rid of them makes them as much of a nuisance as viruses.
Logic Bombs
A logic bomb is a program which has deliberately been written or modified to produce results when certain conditions are met that are unexpected and unauthorized by legitimate users or owners of the software. Logic bombs may reside within standalone programs, or they may be part of worms or viruses. A variation of the logic bomb is the time bomb that ‘explodes’ at a certain time. An example of a time bomb is the infamous ‘Friday the 13th’ virus.

No comments: