Go Backindex

Virus!

Introduction

No this is not a course in how to write a virus, but to make you clear what it is, the impact on society, and some of the historical aspects of viruses.

 

Basically, a virus is a computer program that is able, with your help and by

the Armageddon virus

To illustrate the possibility of an artificial life form cum virus we'll consider the following case

"the Armageddon virus"

A rough picture of a disaster in the making.

Say we are going to construct a virus of Cataclysmic proportions. What would we need to do?

First of all hide some tens of servers invisible for the rest of the network. Only accessible by the maker and the virus. Physically accessible by no one.

Access is gained by sending out a msg on a public server or newsgroup that can be only understood by the virus itself. In this stage the virus will not have any characteristics of a virus. It just sits there, scans the public newsservers and waits for messages.

When posted a message will contain a piece of code to further enhance its viral or survival aspects.

Now you have guessed that we are building a DNA based virus and the newsgroup or usenet server's purpose is to form a repository of basic building blocks: genetic material. Our Armageddon virus will grow and prosper.

The messages will contain genetic code suitable to enable the virus to learn to understand firewalls, proxy servers, passwords, decipher username lists, etc. on the computer it resides.

It will learn to create itself a secret place to hide by developing stealth technology

The next decade it sends out messagebots to fetch more DNA from the public boards.

 

See? The only thing it does till now is to hide and grow more "intelligent" while learning the current security tricks, network configuration, spying on network traffic to distill usernames and passwords, business structure and hiding even better for the system engineers by applying stealth techniques.

In time it learns to communicate with other Armageddon viruses by communicating via DNA encoded messages that are dropped on newsnets, usenet and other public accessible servers via newsbots which are generated by Armageddon. It does this by enriching messages that are going out anyway (kind of piggybacking)

It leaves anonymous messages that again have no signature of any existing virus, nor will these messages do anything to harm, only to take up some disk space.

Armageddon's single purpose till now is to survive. And by doing so it can choose any strategy it sees fit.

And the clock is ticking...

The virus programmer(s) however only codes new DNA blocks in this stage and puts that code in either pictures, messages, discussion groups or whatever there is that can be seen by Armageddon.

Armageddon will eventually send back suggestions of mutated DNA blocks to further enhance the quality of the DNA programmed by the virus builder.

Now the time has come to expand a little bit, unobtrusively though

It will spawn a few other generations of Arma's and the prototypes of Armageddon will go into hybernation to serve as basic material in case of detection or unsuccessful generations of Armageddon

In some future generations when the population or intelligence (either one) has reached a critical mass Armageddon strikes and wipes out the entire computer population

Thus committing suicide, only after it has created some isolated pockets were it survives and waits till there is enough computer momentum to do the trick again.

This war can not be won by any human

This was just a rough schetch of what could be expected of future virus builders.

Attaching itself to other documents, (programs, e-mail, webpages etc.) to move from computer to computer. Typically, these programs are often harmful and not beneficial; even if the virus has no payload (the part of a virus that contains code to either multiply itself and or to destroy something) it is an unwelcome visitor and takes up system resources.

A virus is not the only way you can experience problems with your computer. For most people, hardware or software problems are far more common. This document contains a detailed discussion of some of the most common viruses.

There are several classes of code often grouped under the name "virus." But not all are viruses in the classic meaning of the term. Some of these are: worm, Trojan Horse, logic bomb, and others.

The thing to remember is that a virus moves from computer to computer by attaching itself to a document. Such a document could be an executable program, e-mail you have received or any piece of information that resides on you computer. Including the small program that exists in the boot sector of every floppy or hard disk, bootable or not.

For most viruses, when the program with the virus attached is run, the viral code goes into memory and stays there for as long as the computer is turned on. In some cases even if you warm boot the computer with Ctrl-Alt-Del the virus stays in memory

To spread itself, a virus first attaches itself to other programs, documents with macros, e-mail or other disks as they are accessed. Then, if the circumstances are correct for a particular virus, it activates and does whatever damage it was designed to do. This may range from a simple message on your screen to complete erasure of your disk, or just nothing at all but still being a nuisance.


Bootsector virus

Bootsector viruses are the classics under the viruses. A Bootsector virus settles itself onto a floppy's or hard disk Bootsector, a specific track on a disk where the operating system finds the information to start your machine's operating system or make itself known to you machine (ID). During the 80's a Bootsector virus was a real pest on Amiga and Commodore 64 computers. Easy to remove but a nuisance, and very virulent sometimes too. When a Bootsector virus had infected your disk the machine either froze or the floppy was no longer usable until you removed the virus. Sometimes even the spare Bootsector was overwritten and then your info could only be salvaged with the help of a recovery program,

 

Trojans

A Trojan is a piece of viral code that resides in memory but works only under specific circumstances. It is often spread riding piggybag on other programs or just hidden in one. Like the first Trojan: PC-Write which was a popular share ware program. By enaming the virus program file into "PC-Write" many users thought they were downloading the word processor, instead they downloaded the virus. Tricky.


Polymorphic viruses

A polymorphic virus is a virus that can change itself to elude detection. Or change its working. For example in stead of wiping your hard disk it locks your keyboard when specific keys are pressed in a particular sequence. Very hard to detect.


Binary viruses

A binary virus is a virus that needs a second component to become activated and do whatever it was designed to do.

 

Macro viruses

A macro virus most often exposes itself in Microsoft Office documents like Excel and Word or Outlook and works its havoc. The code is easy to detect and to deactivate.

 

Standard Virus

As long as you can speak of a standard virus. Contemporary viruses are hybrids that even contain their own mail engine!

A standard virus resides in memory. Were its payload executes like a three stage rocket:

More advanced viruses are scoring your harddisk for other programs or excutables and attach itself to any available one. Than look for other harddisks, inclusive network disks, and do the same thing over.

Even more advanced viruses try to attack domains of other users on the network by cracking the passwords and repeat the process

Some viruses are only specialized at cracking firewalls, deleting files, sending hundreds of thousands of mails, steel addresses from your mailbox and send them to a secret recipient. Or burning out you display.

 

Discussion

Virus spreading patterns lately (at the time of updating this document) would suggest that MS software is extremely buggy. Yes the software security is pretty weak, as is other software sometimes too. The probable reason that there are few other operating systems attacked by viruses is that over 98% of the desktop machines run the MS operating system. And programming viruses is relatively easy. What can be done at home. With the availability of tools on the Internet, or subculture circles, it takes only a few days to weeks to build one. Even without much knowledge of networks, firewalls, disk systems, mail deployment mechanisms, password encryption, security measures and so on. People like that are often called "script kiddy's"
Off course MS Windows seems to be more targeted than others and apparently more insecure. But that seems a matter of perspective.
Unix or MVS systems look more secure because protecting against intruders is one of the fundamental issues of these systems. This is also the reason viruses get little chance to spread through such a system. Most damage is done by the human users themselves though. And it helps that Unix and VMS systems are relatively isolated from other systems that do not belonging to that particular company or institution.
But a system programmer setting himself to it could easily break the security and create a widespreading virus. Only were it not that in the 'profession' few people feel the urge to write such software, but if that was the case Unix systems and the like would be infested with as many viruses as the rest of the operating systems on small or large machines.

Will a microcomputer virus work on other types of machines? Not many do. But considering the connection ratio between micro's and "Big Irons" it could travel very well with documents via the network shared between users. The end users always have some kind of MS windows and PC combination on their desk. Thus prime targets for virus like material.

The spread of viruses often is accelerated because of the behavior of computer users. The Kournikova virus was a prime example of this. By using the human curiosity, to entice users in opening mail with promising pictures or other material is something a virus protection program can not guard against. However it is not only by e-mail that viruses get spread. The classic file attachments, macro code inside documents, or extensibles to binary programs are somewhat under represented in the realm of Trojans and viruses, but they are out there!

Oh yes there are discussions that virus protection companies themselves create viruses to keep them in business. And there are rumors that during the cold war most viruses came from countries like Bulgaria and Rumania. And that the virus SoBig.F escaped from an American laboratory of cyber warfare. Well undoubtedly where there is smoke there is fire. But what is thru and what is propaganda?

 

A history

In the beginning of generic software - software that could be used by anyone - a program easily fitted on one or more floppies, even the ones of 'just' 160Kb. A virus via that medium spread either as a boot sector virus or attached to executables. Internet did not exist or was not widespread in these years - we are talking about the late 70's early 80's. But Bulletin Board Systems were abundant. Viruses spread attached to programs (Trojans) via these BBS's. They were extremely small, at least compared to the contemporary viruses, and the payload was single tasked: either overwrite a Bootsector or attach to a file. No sophisticated mechanisms were present in these viruses.

Programs and their supporting files soon no longer fitted on a few floppies and as a result viruses that made use of spreading via floppies disappeared more or less. As soon as you needed more than one CD to install your program Bootsector viruses were no longer an issue.

In the same time the Compact Disk (CD) became a very popular storage medium, making it virtually impossible to contaminate programs on that disk. At least as long as the software manufacturer paid attention. Also the Internet grew rapidly and became a public utility of mondial proportions: mid 1990's. As a result of these two developments virus coders needed a new vehicle to put their stuff in the wild. This made e-mail one of the most popular means to spread a virus. Of course viruses are still spread via floppies and files sent through mail or shared amongst friends etc etc. But the hyped Internet was a prime target of many script kiddy's building their thing in their bedroom. As a result a virus to have an effective payload became larger and larger and around 2002 sized up to 600Kb. Compared to 32K in the early years. Components as mail engine, polymorphic, binary devices are very common but result in relatively bloated viruses. Until now virus are not very intelligent. Most of them make use of security leaks of one particular (operating) system.

As by their nature to elude detection they should stay relatively small and thus cannot contain AI to adapt to a changed environment or sophisticated detection scheme. Unless you design a virus that get its information and resources from other sources: tapping from repositories on the basis of need.

 

Chronology

The murky nature of coding a virus and stay away from the police often makes it difficult to identify the makers of the originals: the first occurance of some type of virus. Also when there is a time delay built into a virus it makes it even more difficult to trace the creator of such software. Though by means of new laws that require providers to open up their system log files to be examinated by various law enforcement agencies from different countries tracking back the origin becomes more viable. And no less the detection techniques, analysing tools, containment methodologies, better firewalls et cetera, enable system en software engineers to better protect against viral attacks. But as long as virsuses can be made in one's backyard and the tools to do so are only limited by the inventiveness of the creators the tug of war will go on eternaly. Some day the police is on top, another day the virus will win a battle.

 

1948

Alan Turing concieves the idea of self ....

 

 

1981

The Elk Cloner was one of the first viruses in the wild(10) It infected Apple II floppies. When activated it displayed a rhime on the screen.

 

1983

Fred Cohen defines a computer virus and in an experiment he and his collegues demonstrated the concept of a virus during a security seminar.

 

1986

The Brain virus is the first bootsector virus alledgely constructed by two Pakistani brothers. The Brain virus is dubbed to have been the first one, but in fact Cohen and the Apple II virus were first.
The first Trojan virus was Pc-Write

 

1991

Michelangelo virus

 

1995

Concept virus

 

1998

Back orifice virus

 

1999

Melissa

 

2000

Love Letter

 

2001

Code Red

A mail attachment contained the Kournikova worm. A smart way to spread a virus by enticing users to click on a picture of tennis player Kournicova, who was, depending on your taste, attractive enough to lure you into opening the message. By opening the mail your machine got infected with a so called mail worm. The result: you address book was used to send out more mail with the Kournicova worm attached.

Even when people were warned against opening such or look a like mail the mail still got opened to view the picture. The virus wasn't very harmful but spreading because of a smart combination of using the human curiosity and virus technology

TOrn

(8)British virus maker arrested:

The British police arrested a 21-year old male suspected to be the creator of the 'T0rn' virus that targeted Linux computer systems This was the result of an investigation that took over a year by combine British and American authorities. Virus writers are arrested seldom. The police finds the arrest an important step in the war against cyber crime. The 21 year old is arrested under the Computer Misuse Act 1990 and released on bail. No further info is given by the police. The T0rn virus appeared in 2001, but caused little damage because it was targeted against Linux systems. The T0rn virus was redesigned by Chinese virus developers to the Lion virus, also causing little damage.

 

2002

 

2003

Bugbear, MS Blaster,

The SoBig.F worm was the most virulent worm ever. Its payload was surprisingly effective. Also surprising was that the maker of this virus programmed an expiration date into the virus. Its last action should be by attacking the Microsoft site. One of the messages generated by this virus were:

"Billy Gates, why do you make this possible? Stop making money and fix your software"

 

 

2004

 

 



 

Go Backindex Last Update 16 November, 2003 For suggestions please mail the editors 




Footnotes & References