No this is not a course in how to write a virus, but to make you clear what it is, the impact on society, and some of the historical aspects of viruses.
Basically, a virus is a computer program that is able, with your help and by
the Armageddon virus |
|
To illustrate the possibility of an artificial life form cum virus we'll consider the following case "the Armageddon virus" A rough picture of a disaster in the making. Say we are going to construct a virus of Cataclysmic proportions. What would we need to do?
Now you have guessed that we are building a DNA based virus and the newsgroup or usenet server's purpose is to form a repository of basic building blocks: genetic material. Our Armageddon virus will grow and prosper.
See? The only thing it does till now is to hide and grow more "intelligent" while learning the current security tricks, network configuration, spying on network traffic to distill usernames and passwords, business structure and hiding even better for the system engineers by applying stealth techniques.
And the clock is ticking...
Now the time has come to expand a little bit, unobtrusively though
This war can not be won by any human This was just a rough schetch of what could be expected of future virus builders. |
Attaching itself to other documents, (programs, e-mail, webpages etc.) to move from computer to computer. Typically, these programs are often harmful and not beneficial; even if the virus has no payload (the part of a virus that contains code to either multiply itself and or to destroy something) it is an unwelcome visitor and takes up system resources.
A virus is not the only way you can experience problems with your computer. For most people, hardware or software problems are far more common. This document contains a detailed discussion of some of the most common viruses.
There are several classes of code often grouped under the name "virus." But not all are viruses in the classic meaning of the term. Some of these are: worm, Trojan Horse, logic bomb, and others.
The thing to remember is that a virus moves from computer to computer by attaching itself to a document. Such a document could be an executable program, e-mail you have received or any piece of information that resides on you computer. Including the small program that exists in the boot sector of every floppy or hard disk, bootable or not.
For most viruses, when the program with the virus attached is run, the viral code goes into memory and stays there for as long as the computer is turned on. In some cases even if you warm boot the computer with Ctrl-Alt-Del the virus stays in memory
To spread itself, a virus first attaches itself to other programs, documents with macros, e-mail or other disks as they are accessed. Then, if the circumstances are correct for a particular virus, it activates and does whatever damage it was designed to do. This may range from a simple message on your screen to complete erasure of your disk, or just nothing at all but still being a nuisance.
Bootsector
virus Bootsector viruses are the classics under the viruses. A Bootsector virus settles itself onto a floppy's or hard disk Bootsector, a specific track on a disk where the operating system finds the information to start your machine's operating system or make itself known to you machine (ID). During the 80's a Bootsector virus was a real pest on Amiga and Commodore 64 computers. Easy to remove but a nuisance, and very virulent sometimes too. When a Bootsector virus had infected your disk the machine either froze or the floppy was no longer usable until you removed the virus. Sometimes even the spare Bootsector was overwritten and then your info could only be salvaged with the help of a recovery program,
TrojansPolymorphic
virusesA polymorphic virus is a virus that can change itself to elude detection. Or change its working. For example in stead of wiping your hard disk it locks your keyboard when specific keys are pressed in a particular sequence. Very hard to detect.
Binary
viruses A binary virus is a virus that needs a second component to become activated and do whatever it was designed to do.
Macro
virusesA macro virus most often exposes itself in Microsoft Office documents like Excel and Word or Outlook and works its havoc. The code is easy to detect and to deactivate.
Standard
VirusAs long as you can speak of a standard virus. Contemporary viruses are hybrids that even contain their own mail engine!
A standard virus resides in memory. Were its payload executes like a three stage rocket:
More advanced viruses are scoring your harddisk for other programs or excutables and attach itself to any available one. Than look for other harddisks, inclusive network disks, and do the same thing over.
Even more advanced viruses try to attack domains of other users on the network by cracking the passwords and repeat the process
Some viruses are only specialized at cracking firewalls, deleting files, sending hundreds of thousands of mails, steel addresses from your mailbox and send them to a secret recipient. Or burning out you display.
Virus spreading patterns lately (at the time of updating this document) would
suggest that MS software is extremely buggy. Yes the software security is pretty
weak, as is other software sometimes too. The probable reason that there are
few other operating systems attacked by viruses is that over 98% of the desktop
machines run the MS operating system. And programming viruses is relatively
easy. What can be done at home. With the availability of tools on the Internet,
or subculture circles, it takes only a few days to weeks to build one. Even
without much knowledge of networks, firewalls, disk systems, mail deployment
mechanisms, password encryption, security measures and so on. People like that
are often called "script kiddy's"
Off course MS Windows seems to be more targeted than others and apparently more
insecure. But that seems a matter of perspective.
Unix or MVS systems look more secure because protecting against intruders is
one of the fundamental issues of these systems. This is also the reason viruses
get little chance to spread through such a system. Most damage is done by the
human users themselves though. And it helps that Unix and VMS systems are relatively
isolated from other systems that do not belonging to that particular company
or institution.
But a system programmer setting himself to it could easily break the security
and create a widespreading virus. Only were it not that in the 'profession'
few people feel the urge to write such software, but if that was the case Unix
systems and the like would be infested with as many viruses as the rest of the
operating systems on small or large machines.
Will a microcomputer virus work on other types of machines? Not many do. But considering the connection ratio between micro's and "Big Irons" it could travel very well with documents via the network shared between users. The end users always have some kind of MS windows and PC combination on their desk. Thus prime targets for virus like material.
The spread of viruses often is accelerated because of the behavior of computer users. The Kournikova virus was a prime example of this. By using the human curiosity, to entice users in opening mail with promising pictures or other material is something a virus protection program can not guard against. However it is not only by e-mail that viruses get spread. The classic file attachments, macro code inside documents, or extensibles to binary programs are somewhat under represented in the realm of Trojans and viruses, but they are out there!
Oh yes there are discussions that virus protection companies themselves create viruses to keep them in business. And there are rumors that during the cold war most viruses came from countries like Bulgaria and Rumania. And that the virus SoBig.F escaped from an American laboratory of cyber warfare. Well undoubtedly where there is smoke there is fire. But what is thru and what is propaganda?
In the beginning of generic software - software that could be used by anyone - a program easily fitted on one or more floppies, even the ones of 'just' 160Kb. A virus via that medium spread either as a boot sector virus or attached to executables. Internet did not exist or was not widespread in these years - we are talking about the late 70's early 80's. But Bulletin Board Systems were abundant. Viruses spread attached to programs (Trojans) via these BBS's. They were extremely small, at least compared to the contemporary viruses, and the payload was single tasked: either overwrite a Bootsector or attach to a file. No sophisticated mechanisms were present in these viruses.
Programs and their supporting files soon no longer fitted on a few floppies and as a result viruses that made use of spreading via floppies disappeared more or less. As soon as you needed more than one CD to install your program Bootsector viruses were no longer an issue.
In the same time the Compact Disk (CD) became a very popular storage medium, making it virtually impossible to contaminate programs on that disk. At least as long as the software manufacturer paid attention. Also the Internet grew rapidly and became a public utility of mondial proportions: mid 1990's. As a result of these two developments virus coders needed a new vehicle to put their stuff in the wild. This made e-mail one of the most popular means to spread a virus. Of course viruses are still spread via floppies and files sent through mail or shared amongst friends etc etc. But the hyped Internet was a prime target of many script kiddy's building their thing in their bedroom. As a result a virus to have an effective payload became larger and larger and around 2002 sized up to 600Kb. Compared to 32K in the early years. Components as mail engine, polymorphic, binary devices are very common but result in relatively bloated viruses. Until now virus are not very intelligent. Most of them make use of security leaks of one particular (operating) system.
As by their nature to elude detection they should stay relatively small and thus cannot contain AI to adapt to a changed environment or sophisticated detection scheme. Unless you design a virus that get its information and resources from other sources: tapping from repositories on the basis of need.
The murky nature of coding a virus and stay away from the police often makes it difficult to identify the makers of the originals: the first occurance of some type of virus. Also when there is a time delay built into a virus it makes it even more difficult to trace the creator of such software. Though by means of new laws that require providers to open up their system log files to be examinated by various law enforcement agencies from different countries tracking back the origin becomes more viable. And no less the detection techniques, analysing tools, containment methodologies, better firewalls et cetera, enable system en software engineers to better protect against viral attacks. But as long as virsuses can be made in one's backyard and the tools to do so are only limited by the inventiveness of the creators the tug of war will go on eternaly. Some day the police is on top, another day the virus will win a battle.
Alan Turing concieves the idea of self ....
The Elk Cloner was one of the first viruses in the wild(10) It infected Apple II floppies. When activated it displayed a rhime on the screen.
Fred Cohen defines a computer virus and in an experiment he and his collegues demonstrated the concept of a virus during a security seminar.
The Brain virus is the first bootsector virus alledgely
constructed by two Pakistani brothers. The Brain virus is dubbed to have been
the first one, but in fact Cohen and the Apple II virus were first.
The first Trojan virus was Pc-Write
Michelangelo virus
Concept virus
Back orifice virus
Melissa
Love Letter
Code Red
A mail attachment contained the Kournikova worm. A smart way to spread a virus by enticing users to click on a picture of tennis player Kournicova, who was, depending on your taste, attractive enough to lure you into opening the message. By opening the mail your machine got infected with a so called mail worm. The result: you address book was used to send out more mail with the Kournicova worm attached.
Even when people were warned against opening such or look a like mail the mail
still got opened to view the picture. The virus wasn't very harmful but spreading
because of a smart combination of using the human curiosity and virus technology
TOrn
(8)British virus maker arrested:
The British police arrested a 21-year old male suspected to be the creator of the 'T0rn' virus that targeted Linux computer systems This was the result of an investigation that took over a year by combine British and American authorities. Virus writers are arrested seldom. The police finds the arrest an important step in the war against cyber crime. The 21 year old is arrested under the Computer Misuse Act 1990 and released on bail. No further info is given by the police. The T0rn virus appeared in 2001, but caused little damage because it was targeted against Linux systems. The T0rn virus was redesigned by Chinese virus developers to the Lion virus, also causing little damage.
Bugbear, MS Blaster,
The SoBig.F worm was the most virulent worm ever. Its payload was surprisingly effective. Also surprising was that the maker of this virus programmed an expiration date into the virus. Its last action should be by attacking the Microsoft site. One of the messages generated by this virus were:
"Billy Gates, why do you make this possible? Stop making money and fix your software"
|
Last Update 16 November, 2003 | For suggestions please mail the editors |