It was Fred Cahen who incidentally coined the expression ‘Computer Virus’. The term ‘Virus’ and ‘Worm’ were being used in science fiction novels in the early 1970’s. Around the same period, researchers at Xerox Corp, created and demonstrated a self replicating code, called virus.
A virus is a program that can modify another program which is deemed infected. This cart-also become an evolved copy of the original virus program. Every program that gets infected may also act as a virus and thus the infection multiplies. The key property of a virus is its ability to infect other programs. Every general purpose system currently in use is open to viral attack. In some secure systems, virus tends to spread further when created by some user of the system. A virus has the potential to spread throughout any system which allows sharing. The virus can be generated and introduced by a hacker. The perpetrator gets the satisfaction of demonstrating human superiority over a cybernetic system.
With the advent of internet a haven has been created for virus mongers. An important ongoing research involves determining how quickly a virus could spread to a large percentage of computers in the world. Studies through simplified mathematical models of virus spreading in typical computer networks have been going on. Obviously virus like programs have to be written, injected into systems and the effect has to be studied. In a simulated environment, the extent, speed and effect of infection is studied. Several experiments have been systematically carried out. The anti-virus program writers must be doing similar experiments before eventually bringing out their anti-virus packages.
Virus study indicates a set of ‘undecidable detection problems’. A list could be as follows
- Detection of a virus by its appearance.
- Detection of a virus by its behaviour.
- Detection of evolution of a known virus.
- Detection of a triggering mechanism by its appearance.
- Detection of a triggering mechanism by its behaviour.
- Detection of evolution of a known triggering mechanism.
- Detection of a virus detector by its behaviour.
- Detection of evolution of a known virus detector.
- Safety of a protection scheme.
With networking becoming the order of the day, a virus may get initiated only through a particular node or through a few nodes and may give an appearance of having originated from some other node. A virus may also get kindled at some stages of a program in an executable file and not necessarily whenever the program is called for.
Experts say that viruses need not to be used only for evil purposes. A very interesting theory in compression through virus has been developed. It can be explained that a simple virus can be written to find uninfected executable files, compress them and insert itself into them. Upon execution the infected program decompresses itself and executes normally. Studies indicate that such a virus could save over 50% of the space taken up by the executable files in an average system. The performance of infected programs decreases slightly as they are decompressed, and then the ‘compression virus’ implements a particular ‘time space trade off’.
Another example could be that a virus program can be written in such a way as to find ‘uninfected’ executable. It will plant itself at their beginning. After a given date and time the virus would cause the executable to ‘refuse service’ by going into an indefinite loop. And in modern networking with the level of sharing that is prevalent, the entire system would become unusable after that moment. Anti-virus operators might find a great deal of hard work that is required to treat/undo the damage caused by such a virus.
Types of Viruses
Non-TSR File Virus
This is the simplest form of virus to write and the least effective, and so one is unlikely to be troubled by them. When an infected program is first run, the virus code carries out its task checking that an executable file is not infected, and then attaches a copy to it. It then runs the original program to which it is attached. In contrast, TSR viruses load themselves into memory when they are executed and are able to infect any executable program they can reach from that point.
Boot Sector Virus
This is the other major type of virus. Most of the boot sector viruses consist of a simple, small programme that is used to start DOS, or whatever operating system is installed. Boot sector viruses replace this with virus code and typically move the boot sector to another part of the disc. When the PC booted, the virus code is executed first. Then, the virus runs the real boot sector. A very slow boot from an infected floppy with an excess of floppy disc activity is a common symptom of an infected machine.
These combine both techniques. They can infect both boot sectors and files. The file version of ‘Tequila’, e.g., infects the Master Boot Record. Once the PC has been booted from an infected MBR, the virus goes memory resident and infects all accessed EXE flies.
Companion viruses create a .COM companion to an .exe file. Because the DOS executes .Com files before .EXEs, the virus is run before the .EXE file of the same name. The virus then runs the original .EXE.
These aim to foil anti-virus packages that search for a specific strain by looking for a known sequence of bytes. No two copies of a true polymorphic virus are alike. When polymorphic viruses run they first decrypt themselves and then behave like any other virus. Programmes such as the ‘Nuke Encryption Device’ (NED) and the ‘Trident Polymorphic Engine’ have been written that turn a standard virus into a polymorphic virus. Fortunately, once measures have been taken by an anti-virus company to defeat each ‘engine’, all viruses processed by it are detectable.
Stealth covers a variety of techniques that viruses use to disguise their presence from anything as simple as hiding the increase in files size of executable to full-blown detection of the tools used to detect the virus and the taking of appropriate action to fool them.
Trojans are not viruses at all. They are programmes that hide a malevolent code within a seemingly innocuous programme but they do not replicate! For this reason the chances of being caught out accidentally by Trojans are, low.
Macro viruses have been predicted for a while. It had recently appeared when it was sent out accidentally by Microsoft on a CD-ROM to OEMs. They called it a ‘Prank Macro’. It is the first virus that will run on both PCs and Macs. It replicates using an auto-executing Word Basic macro embedded in a document. When the document is loaded, it copies the macro to Word’s settings file NORMAL.DOT. and replaces the File Save command with a routine that also saves a copy of the macro in each document.
The most significant computer viruses of the last 10 years are
- Code Red
In 2004, Code Red targetted Web servers and it would automatically spread by exploiting vulnerability in Microsoft IIS servers. It took less than a week for more than 400000 servers to be infected by Code Red.
Fortinet’s Lovet said 2004’s Sasser virus spread without anyone’s help and exploited vulnerability in Microsoft Windows. A bug in the worm’s code also caused it to shut down infected systems every couple of minutes. The damage caused by Sasser was estimated at more than $ 18 billion.
And Microsoft wanted answers, offering a $ 2500000 bounty for Sasser’s author, who turned out to be an 18-year-old German student who said he created the virus as a way to help his mother find a job in computer security. Lovet said Sasser was the first virus to really a tract attention from the traditional Press.
MyTob was a mass-mailed worm that included its own SMTP engine to spread itself to other PCs after hijacking addresses from an infected system.
Appearing in 2005, MyTob combined features of a bot and a mass-mailer. Along with heralding the era of cybercrime MyTob also introduced the botnet.
The Storm botnet launched in 2007 and took what seemed like ages to get under control. Storm left a legacy as one of the most destructive bots in history, infecting millions of computers around the world its wake. At its height, Storm infected between 1 million and 50 million systems and accounted for 8% of all malware.
Koobface, launched in 2008, marked the first botnet to recruit its Zombie computers across various social networks, including Facebook, MySpace, hi5, Bebo and more. Currently, it is estimated that at any time more than 500000 Koobface zombies are online simultaneously.
In 2009, Conficker targetted the Microsoft Windows OS and used Windows flaws and dictionary attacks on admin passwords to co-opt machines and link them to a computer that can be commanded remotely by the authors.
Some hospitals and military bases were also impacted and it’s estimated that roughly 7 million systems were infected globally. Oddly enough, no
Ukrainian IPs or machines were infected by Conficker, suggesting that the authors were not targeting their own country.
Too many, is considered the first shot fired in a cyber war that will soon emerge. With Stuxnet targeting nuclear plants, it is said the virus landscape is changing dramatically. Stuxnet first emerged on the public radar in September 2010, when researchers found traces of code on Siemens industrial software systems that operate Iran’s Bushehr nuclear reactor.
- SQL Slammer (2003)
Appeared first in 27th January, 2003 and soon got a high rank in the list of most dangerous worms of the year. Slammer spread to over 90% of all vulnerable hosts in 10 minutes and infected around 359000 computers total and according to London-based market intelligence the worm caused between $ 950 million and $ 1.2 billion in lost productivity in its first five days worldwide.
- Bandook (2005)
ALIAS: Bandook Rat
Bandook Rat is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003, Vista). It uses process hijacking/Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the internet. It is somehow very similar to Beast Trojan (2002).
- Sadmind Worm (2001)
ALIAS: Sadmind/IIS, Unix/Sadmind, Solaris/Sadmind Worm
The Sadmind worm was a self-propagating piece of malware; it was first discovered on 8th May, 2001 in China. It affected some big operating systems like Sun Micro systems Solaris (OS) and Microsoft’s Internet Information Services (IIS) which is the world’s second most popular web server in terms of overall websites behind the industry leader Apache HTTP Server.
- Beast Trojan (2002)
Beast is a Windows-based backdoor trojan horse more commonly known in the underground cracker community as a RAT (Remote Administration Tool). It was created in Delphi and released first by its author Tataye in 2002. Beast was one of the first trojans to feature a ‘reverse connection’ to its victims and once established, it gave the attacker complete control over the infected computer.
Prevention from a Virus Attack
The most fundamental precaution against virus attacks is to limit access to a machine to avoid tampering with the system. In case of floppy discs, the simplest form of protection is to place write-protect tabs on all discs so that any attempt by a virus to write to the disc would result in an error message. The write-protect tab should be removed only when data has to be expressly written to the floppy.
It should be remembered that even the simple act of inserting a floppy disc and getting a directory listing can be enough to infect a machine. Though, write-protect facilities are generally not available for hard discs, hardware products have started appearing in the market offering users the ability to write-protect hard discs. But, being expensive, these are not likely to be used widely.
Software products to write-protect hard discs are also available. But, these render themselves vulnerable to virus attack also. In network environments, the use of disk-less or hard-disc-only systems is becoming popular. Control of software is then restricted to the file server and network administrators only.
Tips for Prevention of Virus Infection
Even if one buys and uses several anti-virus applications, the best defence is to avoid infection in the first place. There is no absolute guarantee against infection. But, the risk can be minimised by following the guidelines listed below
- Boot the system with a write-protected and already scanned floppy disc, which has the boot and system files and set of files of a qualified virus scanned program.
- Even, if there is a hard disc and the PC normally boots from that disc, start by first booting the system with the uninfected and write-protected disc boot floppy in the ‘A’ drive.
- All floppies should be scanned individually and periodically by using a qualified and uninfected virus scanning (or detection) program.
- Discourage the use of floppies of other users unless these are individually scanned and checked for any virus.
- Do not use previously formatted floppies brought by others even if these are apparently empty. Reformat all empty floppies with your uninfected system before further use.
- Avoid lending floppies.
- The most popular carriers of dangerous viruses are floppies containing different popular computer games, horoscopes, astrological predictions These should be avoided.
- Use of pirated software should be completely avoided as most of them are virus carriers.
- Take back-ups regularly. A full back-up once a week, with incremental back-ups daily, if necessary, is advisable. Uninfected back-ups allow overwriting infected files. Even infected back-ups permit recovery from logic bombs. Disinfect restored files right away.
- Write-protect and back-up the installation discs before installing any new software. If it is not done and the system already has virus infection, the original program discs could be permanently infected during installation.
- Scan network drives used regularly. The files attached to E-mail messages may be infected.
- Use the memory-resident, virus spotting portion of the anti-virus application at all times. If an infection is suspected, turn off the system immediately. Reboot from a clean floppy (one without an AUTOEXEC.BAT or a CONFIG.SYS file). Then disinfect the system using a disc-based copy of the anti-virus program.
User should also have some basic knowledge about viruses, their prevention and cure. Use of good anti-virus software for scanning files regularly should invariably be used by each and every user.
But, a single software cannot be depended upon to eliminate infection from ill strains of viruses. The battle against virus infection will be long and perhaps, lasting one.