Information Security: Viruses

    

A computer virus is a piece of software that can “infect” other programs by modifying them; the modification includes injecting the original program with a routine to make copies of the virus program, which can then go on to infect other programs. A computer virus carries in its instructional code the recipe for making perfect copies of itself. The typical virus becomes embedded in a program on a computer. Then, whenever the infected computer comes into contact with an uninfected piece of software, a fresh copy of the virus passes into the new program. Thus, the infection can be spread from computer to computer by unsuspecting users who either swap disks or send programs to one another over a network. In a network environment, the ability to access applications and system services on other computers provides a perfect culture for the spread of a virus.

A virus can do anything that other programs do. The difference is that a virus attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs that is allowed by the privileges of the current user.

A computer virus has three parts:

·      Infection mechanism: The means by which a virus spreads, enabling it to replicate. The mechanism is also referred to as the infection vector. 


·      Trigger: The event or condition that determines when the payload is activated
or delivered.

·      Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity. 


During its lifetime, a typical virus goes through the following four phases: 


·      Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. 


·      Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. The copy may not be identical to the propagating version; viruses often morph to evade detection. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. 


·      Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.

·      Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.


The following pseudocode fragment shows how a simple computer virus works.

beginvirus:

       if spread-condition then begin

              for some set of target files do begin

                      if target is not infected then begin

                             determine where to place virus instructions

                             copy instructions from beginvirus to endvirus into target

                             alter target to execute added instructions

                     end;

              end;

       end;

       perform some action(s)

       goto beginning of infected program

endvirus:

A virus classification by target includes the following categories:

·      Boot sector infector: Infects a master boot record or boot record and spreads 
when a system is booted from the disk containing the virus. 


·      File infector: Infects files that the operating system or shell consider to be executable. 


·      Macro virus: Infects files with macrocode that is interpreted by an application.

A virus classification by concealment strategy includes the following categories: 


·      Encrypted virus: A typical approach is as follows. A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe. 


·      Stealth virus: A form of virus explicitly designed to hide itself from detection 
by antivirus software. Thus, the entire virus, not just a payload is hidden. 


·      Polymorphic virus: A virus that mutates with every infection, making detection by the “signature” of the virus impossible. 


Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.