Viruses

Viruses
Because "virus" is the popular name given to all forms of malicious
code and because fuzzy lines exist between different kinds of
malicious code, we will not be too restrictive in the following
discussion. We want to look at how malicious code spreads, how it
is activated, and what effect it can have. A virus is a convenient
term for mobile malicious code, and so in the following sections we
use the term "virus" almost exclusively. The points made apply also
to other forms of malicious code.
How Viruses Attach

A printed copy of a virus does nothing and threatens no

one. Even executable virus code sitting on a disk does
nothing. What triggers a virus to start replicating? For a
virus to do its malicious work and spread itself, it must be
activated by being executed. Fortunately for virus writers,
but unfortunately for the rest of us, there are many ways to
ensure that programs will be executed on a running
computer.
How Viruses Attach

For example, recall the SETUP program that you

initiate on your computer. It may call dozens or
hundreds of other programs, some on the
distribution medium, some already residing on
the computer, some in memory.
How Viruses Attach

A more common means of virus activation is as

an attachment to an e-mail message. In this
attack, the virus writer tries to convince the victim
(the recipient of an e-mail message) to open the
attachment. Once the viral attachment is opened,
the activated virus can do its work.
How Viruses Attach

The virus can be executable code embedded in

an executable attachment, but other types of files
are equally dangerous. For example, objects
such as graphics or photo images can contain
code to be executed by an editor, so they can be
transmission agents for viruses.
How Viruses Attach

In general, it is safer to force users to open files

on their own rather than automatically; it is a bad
idea for programs to perform potentially security-
relevant actions without a user's consent.
Appended Viruses

A program virus attaches itself to a program;

then, whenever the program is run, the virus is
activated. This kind of attachment is usually easy
to program.
Appended Viruses

In the simplest case, a virus inserts a copy of

itself into the executable program file before the
first executable instruction. Then, all the virus
instructions execute first; after the last virus
instruction, control flows naturally to what used to
be the first program instruction.
Appended Viruses

In the simplest case, a virus inserts a copy of

itself into the executable program file before the
first executable instruction. Then, all the virus
instructions execute first; after the last virus
instruction, control flows naturally to what used to
be the first program instruction.
Virus Appended to a Program.

This kind of attachment is simple and usually

effective. The virus writer does not need to know
anything about the program to which the virus
will attach, and often the attached program
simply serves as a carrier for the virus.
Virus Appended to a Program.

he virus performs its task and then transfers to

the original program. Typically, the user is
unaware of the effect of the virus if the original
program still does all that it used to. Most viruses
attach in this manner.
Viruses That Surround a Program

An alternative to the attachment is a virus that

runs the original program but has control before
and after its execution. For example, a virus
writer might want to prevent the virus from being
detected.
Viruses That Surround a Program

If the virus is stored on disk, its presence will be

given away by its file name, or its size will affect
the amount of space used on the disk. The virus
writer might arrange for the virus to attach itself
to the program that constructs the listing of files
on the disk.
Viruses That Surround a Program

If the virus regains control after the listing

program has generated the listing but before the
listing is displayed or printed, the virus could
eliminate its entry from the listing and falsify
space counts so that it appears not to exist.
Integrated Viruses and Replacements

A third situation occurs when the virus replaces

some of its target, integrating itself into the
original code of the target. Clearly, the virus
writer has to know the exact structure of the
original program to know where to insert which
pieces of the virus.
Virus Integrated into a Program.

Finally, the virus can replace the entire target,

either mimicking the effect of the target or
ignoring the expected effect of the target and
performing only the virus effect. In this case,
the user is most likely to perceive the loss of the
original program.
Document Viruses

Currently, the most popular virus type is what we

call the document virus, which is implemented
within a formatted document, such as a written
document, a database, a slide presentation, or a
spreadsheet
Document Viruses

These documents are highly structured files that contain

both data (words or numbers) and commands (such as
formulas, formatting controls, links). The commands are
part of a rich programming language, including macros,
variables and procedures, file accesses, and even system
calls. The writer of a document virus uses any of the
features of the programming language to perform malicious
actions.
Document Viruses

The ordinary user usually sees only the content of the

document (its text or data), so the virus writer simply
includes the virus in the commands part of the document,
as in the integrated program virus.
Virus Completely Replacing a Program.

The virus can supplant T by altering the sequence that

would have invoked T to now invoke the virus V; this
invocation can be used to replace parts of the resident
operating system by modifying pointers to those resident
parts, such as the table of handlers for different kinds of
interrupts.
Homes for Viruses

The virus writer may find these qualities appealing in a

virus:
● It is hard to detect.
● It is not easily destroyed or deactivated.
● It spreads infection widely.
Homes for Viruses

● It can reinfect its home program or other programs.

● It is easy to create.
● It is machine independent and operating system
independent
One-Time Execution

The majority of viruses today execute only once, spreading

their infection and causing their effect in that one
execution. A virus often arrives as an e-mail attachment of
a document virus. It is executed just by being opened.
Boot Sector Viruses

A special case of virus attachment, but formerly a fairly

popular one, is the so-called boot sector virus. When a
computer is started, control begins with firmware that
determines which hardware components are present, tests
them, and transfers control to an operating system.
Boot Sector Viruses

A given hardware platform can run many different

operating systems, so the operating system is not
coded in firmware but is instead invoked dynamically,
perhaps even by a user's choice, after the hardware
test.
Boot Sector Viruses

A boot sector virus is a type of virus that infects the boot

sector of floppy disks or the Master Boot Record (MBR) of
hard disks (some infect the boot sector of the hard disk
instead of the MBR). The infected code runs when the system
is booted from an infected disk, but once loaded it will infect
other floppy disks when accessed in the infected computer.
While boot sector viruses infect at a BIOS level, they use
DOS commands to spread to other floppy disks.
Memory-Resident Viruses

Some parts of the operating system and most user programs

execute, terminate, and disappear, with their space in
memory being available for anything executed later. For very
frequently used parts of the operating system and for a few
specialized user programs, it would take too long to reload
the program each time it was needed. Such code remains in
memory and is called "resident" code.
Memory-Resident Viruses

Virus writers also like to attach viruses to resident code

because the resident code is activated many times while the
machine is running. Each time the resident code runs, the
virus does too. Once activated, the virus can look for and
infected uninfected carriers.
Memory-Resident Viruses

For example, after activation, a boot sector virus might attach

itself to a piece of resident code. Then, each time the virus
was activated it might check whether any removable disk in a
disk drive was infected and, if not, infect it. In this way the
virus could spread its infection to all removable disks used
during the computing session.
Other Homes for Viruses

A virus that does not take up residence in one of

these cozy establishments has to fend more for
itself. But that is not to say that the virus will go
homeless.
Other Homes for Viruses

One popular home for a virus is an application

program. Many applications, such as word
processors and spreadsheets, have a "macro"
feature, by which a user can record a series of
commands and repeat them with one invocation.
Other Homes for Viruses

Such programs also provide a "startup macro" that

is executed every time the application is executed.
A virus writer can create a virus macro that adds
itself to the startup directives for the application. It
also then embeds a copy of itself in data files so
that the infection spreads to anyone receiving one
or more of those files.
Virus Signatures

A virus cannot be completely invisible. Code must

be stored somewhere, and the code must be in
memory to execute. Moreover, the virus executes
in a particular way, using certain methods to
spread.
Virus Signatures

Each of these characteristics yields a telltale

pattern, called a signature, that can be found by a
program that knows to look for it. The virus's
signature is important for creating a program,
called a virus scanner, that can automatically
detect and, in some cases, remove viruses.
Virus Signatures

The scanner searches memory and long-term

storage, monitoring execution and watching for the
telltale signatures of viruses. For example, a
scanner looking for signs of the Code Red worm
can look for a pattern containing the following
characters:
Virus Signatures
Storage Patterns

Most viruses attach to programs that are stored on

media such as disks. The attached virus piece is
invariant, so that the start of the virus code
becomes a detectable signature. The attached
piece is always located at the same position
relative to its attached file.
Storage Patterns

In the simplest case, the virus code sits at the top

of the program, and the entire virus does its
malicious duty before the normal code is invoked.
In other cases, the virus infection consists of only a
handful of instructions that point or jump to other,
more detailed instructions elsewhere.
Storage Patterns

For example, the infected code may consist of

condition testing and a jump or call to a separate
virus module. In either case, the code to which
control is transferred will also have a recognizable
pattern.
Execution Patterns

A virus writer may want a virus to do several things

at the same time, namely, spread infection, avoid
detection, and cause harm. Unfortunately, many of
these behaviors are perfectly normal and might
otherwise go undetected.
Execution Patterns

For instance, one goal is modifying the file

directory; many normal programs create files,
delete files, and write to storage media. Thus,
there are no key signals that point to the presence
of a virus.