Analysing Viruses

From SecuriWiki

by sisi Zhou

Computer virus is a new born with the development of computer science. It was first written as a joke program to destroy other’s program in 1960s in MIT, but since it brings to a great damage to computer operating systems and causes a great deal of economic loses, people regard it as the most dangerous program which need to be defended. Because this type of programs behaves in the same way as a biological virus, so we call it “Virus”. In a common parlance, the term virus is often extended to refer to “worms”, “Trojan horses”, “Macro”, “Backdoor”, “Hacker”, “Spyware”, “Adware”, “Joke”, “Hoax” and other sorts of malicious software or “malware”. The predominant negative effect of viruses is their uncontrolled self-reproduction, which wastes or overwhelms computer resources and effect people’s normal work. Today, as the thriving of network, virus becomes a great scourges on the web because of its high speed of spread. Even though, scientists develop many useful methods and tools to defend virus. It will be an endless war between virus and virus defense.

Contents 1 What is computer virus? 2 History of Viruses 3 Types of viruses 3.1 Nonresident viruses 3.2 Resident viruses 3.3 Boot viruses 3.4 File infectors 3.5 Companion viruses 3.6 Multipartite viruses 3.7 Stealth viruses 3.8 Polymorphic viruses 3.9 Macro viruses 4 Some famous viruses 5 Defense with viruses 5.1 Anti-viral software 5.1.1 Scanning 5.1.2 Integrity checking 5.1.3 Interception 5.2 Anti-viral precautions 5.3 Anti-virus Software 6 References:

What is computer virus?

 The computer virus is formally defined as:
 A program that can “infect” other programs by modifying them to include a possibly evolved
 copy of itself.  [1]

The virus additionally modifies the host so that when the computer begins execution of the host program, control is passed to the virus code. When the virus code is run, it rapidly searches for a new host into which it can copy its code. Although appearing complex, the flow control in the infected case is:

 * Computer tries to execute the host program
 * Modified host causes virus code to be run
 * Virus runs and multiplies by infecting new files
 * Virus returns control to the host
 * Host appears to run normally [2]

Computer viruses are contagious in that for a computer to become infected one of three possible conditions must exist:

 1.	the computer must be in direct communications contact with an infected machine
 2.	the computer must have read an exchangeable floppy disc which was written to by an
 infected machine
 3.     the computer must have been directly infected by the programmer who created the virus [1]

The infection spreads at a geometric rate, especially on the web today. In a computer net work, if one of the machines is infected with a virus then all other machines on the network are vulnerable. Because files can be copied across the network, infected files can carry parasitic viruses with them. Computer viruses reduce the performance and availability of computer systems, and consume valuable skilled, manpower resources in their prevention and cure. Some of the more vicious viruses may destroy data or even render the system unusable.

History of Viruses

The earliest self-replicating programs were probably the mainframe rabbits which is normally written in command languages, rapidly created clones of themselves and caused sever degradation of system performance. The first incident which may be called an epidemic of “a computer virus” happened on the Univax 1108 system. The virus named “Pervading Animal” merged itself to the end of executable files. During the 1970s the concept of a self-replicating program continued to interest hackers. A “Creeper” was created under the Tenex operating system used global computer networks to spread itself. Then a “Reeper” which is the first known anti-virus program was created to fight with “Creeper”. The 1980s began with the first true virus. A bootable virus called “Elk Cloner” written by Rich Skrenta in 1982 epidemics started on Apple II computers which is spread by floppy disk. In 1986 the first IBM PC virus “Brain” which is also the first steal virus was written by two brothers, Basit and Amjad Farooq Alvi, who put their name, address and telephone number in the Brain virus boot sector. In 1990s, the computer virus population grows continuously. Various kind of viruses appeared, such as “Chameleon”, “Murphy”, “Nomenclatura”, “Beast”, “Frodo”, “Whale”, “Michelangelo”, etc. In the mid-1990s, macro viruses have become common which are most written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in [Microsoft Office] by infecting documents and spreadsheets. Now, the viruses become more and more diverse, and most of them spread by networks. The most famous viruses like “ILOVEYOU”, “Sasser”, “Stages”, “Worm.net.sky”, “Anna Kournikova”, “Slammer” and so on are all spreaded by networks. As time going on, there will be more new viruses come out, we can’t hesitate to defend them.

Types of viruses

There are almost 200 thousand kinds of viruses in the world. They can be divided into two types, nonresident viruses and resident viruses, on the basis of their behavior when they get executed. Or they can also be divided according to the area they infect on computer.

Nonresident viruses

Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. It can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. Unlike resident viruses, nonresident infectors do not use TSR (terminate-and-stay-resident) programs to remain active in a computer’s memory and have a much shorter activation time. This fact can make nonresident viruses harder for the user and some antiviral utilities to detect, because the computer’s available memory is only reduced for a short time.

 For simple viruses the replicator's task is to:
 1.	Open the new file
 2.	Check if the executable file has already been infected (if it is, return to the finder
 module)
 3.	Append the virus code to the executable file
 4.	Save the executable's starting point
 5.	Change the executable's starting point so that it points to the start location of the
 newly copied virus code
 6.	Save the old start location to the virus in a way so that the virus branches to that
 location right after its execution.
 7.	Save the changes to the executable file
 8.	Close the infected file
 9.	Return to the finder so that it can find new files for the replicator to infect.

Resident viruses

Instead of search for hosts when started, resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. This kind of virus loads the replication module into memory when it is executed and ensures that this module is executed each time when the operating system is called to perform a certain operation. In this case, the virus infects every suitable program that is executed on the computer.

Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible and rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently and avoid detection by limiting their actions at the same time.

Boot viruses

Boot viruses are viruses which base themselves in the boot sector of a disc. In so doing, they can ensure that they are loaded and executed wherever the system is rebooted. Once loaded, these viruses usually stay resident in main memory ready to infect any other discs attached to the system. They have to take on the responsibility for completing the loading of the system to maintain a copy of the original boot block somewhere on the disc. To reduce the risk of detection, they should maintain a pretense that the boot sector has not been tampered with and the presence of the virus should be hidden from the casual observer as far as possible. To hide the viral code, the virus locates itself in free sector chain and then transfers them to the bad sector chain or use the method of format an extra cylinder and write the viral code into that new space which the operating system knows nothing about it.

This kind of virus does not affect files, but rather the disks that contain them. The detection of boot virus is quite complex especially if the viral code is hidden away in an “unofficial” cylinder. The best way of avoiding boot viruses is to ensure that floppy disks are write-protected and never start your computer with an unknown floppy disk in the disk drive.

 Examples: Disk Killer
           Michelangelo
           Polyboot.B
           AntiEXE

File infectors

File infectors viruses also can be called “Program Viruses”. This type of viruses infects programs or executable files. Different from boot viruses, file infectors viruses secrete themselves inside existing program files and can be activated only when their host program is loaded and executed. The general principle of a file infector virus is to arrange for the viral code to be loaded and activated (usually in the form of a Terminate and Stay Resident (TSR) program) and then to load the “host” program. Most file infectors look for uninfected “.COM”, “.BIN”, “.OVL”, “.DRV”, “.SYS” and “.EXE” files in the directories listed in the PATH variable or in standard directories like \DOS and \WIN on discs other than the current one. When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging effects it is programmed to carry out. To make the viral code as unobtrusive as possible, it can take several options: to overwrite part of the existing program with the viral code; to pretend or append the viral code to the host program; to copy the actual program into a less visible part of the disc and replace the original program with the viral code.

In general, the decontamination of discs from file infectors, once they have been detected, is quite straightforward. It is merely a matter of replacing the infected programs with known clean copies. The most important aspect is to ensure that the clean copies are not inadvertently infected from the infected disc during the decontamination process.

 Examples: Sunday
           Cascade

Companion viruses

Companion viruses use the principle that the COMMAND.COM program searches the PATH directories up to three times looking for the program corresponding to the command invoked by the user. In the first pass, COMMAND.COM is looking for the file xxx.COM, in the second pass it is looking for the file xxx.EXE, and in the third pass, xxx.BAT. The virus effects its infection by changing its own name to the “.COM” version of a file which exists as a “.EXE” or “.BAT” version in one of the PATH directories. Thus when the command xxx is invoked, the virus code will be executed. So as to allay any suspicions of the user, once it has finished its own work, it attempts to load the genuine program over itself and execute it. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run or act immediately by making copies of themselves.

Companion viruses are quite difficult to detect as they look like any other “.COM” program. The only clue is the co-existence of a “xxx.COM” file and a “xxx.EXE” file, possibly in different directories. Currently, there are very few utilities which even look for any evidence of this form of attack.

 Examples: Stator
           Asimov.1539
           Terrax.1069

Multipartite viruses

A multipartite virus is a hybrid of boot and program viruses. These advanced viruses can create multiple infections using several techniques. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then start infecting other program files on disk. Their objective is to attack any elements that can be infected: files, programs, macros, disks, etc. So they are considered fairly dangerous due to their capacity of combine different infection techniques.

 Examples: Invader
           Flip
           Tequila
           Ywinz

Stealth viruses

A stealth virus is a computer virus that uses various mechanisms to avoid detection. Typically, when it is active, it hides itself in memory, and uses various tricks to also hide changes it has made to any files or boot records. The virus may maintain a copy of the original, uninfected data and monitor system activity. It does this by taking over the system functions which read files or system sectors and, when some other program requests information from portions of the disk the virus has changed, the virus reports back the correct (unchanged) information instead of what's really there (the virus). However, in order to do this, the virus must be resident in memory and active to do this.

 Examples: Frodo
           Joshi
           Whale

Polymorphic viruses

The goal of this kind of viruses is to confound virus scanning programs. It is more difficult to detect for each copy of the virus looks different than the other copies. To achieve this, polymorphic viruses encrypt its code in different ways (using different algorithms and encryption keys) so that it appears differently each time when infect. Then it can decrypt itself to be able to spread through the computer.

 Examples: Involuntary
           Evil 
           Cascade
           Phoenix 
          

Macro viruses

A macro virus is a new type of computer virus that infects the macros within a document or template. These include Word documents, Excel spreadsheets, PowerPoint presentations, Access databases, Corel Draw etc. A macro is a small program that a user can associate to a file created using certain applications. These mini programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one. When a document containing macros is opened, the macro virus is activated and it automatically be loaded and may be executed immediately to infect the normal template. Every opened document refers to the normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.

 Examples: Melissa.A
           DMV 
           Relax

Some famous viruses

Although there are many viruses, they can all define as follow:

Backdoor

A software feature programmed by the original designer which will permit him to carry out operations denied to normal users of the software

Chain letter

A program encapsulated within an electronic mail message, which, when run, will send copies of itself to a number of users by electronic mail. The virus of “CHRISTMA EXEC” consists of an “EXEC” file embedded in an e-mail message and would result in an ASCII Xmas tree being output to the screen, at the same time, the user’s “NAMES” and “NETLOG” files for the e-mail addresses on any accounts that the user had received mail from or had sent mail to.

Logic bomb

Malicious code incorporated within a program which will activate when a particular set of circumstances exists

Rabbit

A program designed to exhaust some resource within the system by its unchecked replication

Time bomb

A logic bomb timed to activate on particular “activation” dates. The “Jerusalem” virus known as “Friday the 13th” would wait until the occurrence of Friday 13th and then delete files.

Trap door

It is normally added by a hacker, which will permit later privileged access to a computer system without the use of valid authentication codes or passwords. It is a form of back door.

Trojan horse

Any program which includes code designed to carry out functions not intended by the user running the program, or advertised in the system documentation. This includes the incorporation of logic bombs or benign hidden code.

Trojan mule

A program which will emulate some aspect of the system’s standard behaviour, such as the login prompt, with a view to collecting system passwords or authentication codes.

Virus

A program that can infect other programs by modifying them to include a possibly evolved copy of itself.

Worm

A program that spreads copies of itself via network connections to other computer systems. Unlike a virus, a worm does not require a host program, but is a stand- alone executable program. The “Love Letter” worm appeared in the year of 2000; the viral code was written in VB and was carried in the header of an attached MS Office document named LOVE-LETTER-FOR-YOU.TXT.VBS. Within one week, this virus had spread to nearly 1000sites and many have affected nearly half a million individual computer systems.

Defense with viruses

Obviously, prevention is better than cure. The defense against computer viruses needs to be considered under two headings: precautions against infection in the first place, and how to get rid of an infection once it has occurred.

Anti-viral software

There are three methods in general use and a given anti-virus software program will use some combination of the three techniques for maximum possibility of detection.

Scanning

Scanning looks for known viruses by a signature or characteristics that make new viruses similar to existing viruses. The scanner uses the signature of virus strings to search memory, files, and system sectors. If the scanner finds a match, it announces that it has found a virus. Because signature database need to up to date, this technique only suitable for use against known viruses and the system which has been already infected but not be able to prevent an infection. Despite these drawbacks, scanning software is perhaps the most useful of the viral detection techniques. The major advantage of scanners is that they allow you to check programs before they are executed. Scanners provide the easiest way to check new software for known or suspected viruses.

Integrity checking

Integrity products record information about system for later comparison in order to detect changes. Just detecting changes is not enough, however; the detection must have some "intelligence" behind it to avoid confusion. Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors. It is the only solution that can handle all the threats to data as well as viruses. And it also provide the only reliable way to discover what damage a virus has done. The main problem with such software is that it can't differentiate file corruption caused by a bug from corruption caused by a virus. Advanced integrity checkers, however, incorporate the capability to analyze the nature of the changes and recognize changes caused by a virus have become available.

Interception

Monitoring for system-level routines that perform destructive acts can help. By monitoring interactions between software and the system, it can warn against, or even prevent any suspicious activity. Interceptors (also known as resident monitors) are particularly useful for deflecting logic bombs and Trojans. The interceptor monitors operating system requests that write to disk or do other things that the program considers threatening. If it finds such a request, the interceptor generally pops up and asks you if you want to allow the request to continue. There is, however, no reliable way to intercept direct branches into low level code or to intercept direct input and output instructions done by the virus itself.

Anti-viral precautions

The following precautions will materially reduce the risk of infection:

 1.	make frequent and regular backups of all vital program and data files. The uninfected
 backups will form the basis of any recovery procedure.
 2.	write protect any disc which does not have to be written to.
 3.	set up a quarantine machine which has no hard disc for the sole purpose of checking and
 decontaminating imported discs using appropriate virus scanning and decontamination software. 
 4.	treat all import discs with the maximum of suspicion.
 5.	where possible, discs created by the mechanism described above, should be scrutinized for
 viruses by an expert or a trusted propriety virus detection program.

Anti-virus Software

• Avast
• AntiVir PersonalEdition
• F-Secure Anti-Virus
• Kaspersky Anti-Virus
• Command Antivirus
• McAfee VirusScan
• MIMESweeper
• Norman Virus Control
• Norton AntiVirus
• Panda Antivirus
• Sophos
• Trend PC-cillin

References:

BOOKS:

[1] An information security handbook / John M.D. Hunter / London; New York: Springer, 2001 / ISBN: 1-85233-180-1 / Chapter 12

[2] A pathology of computer viruses / David Ferbrache / London; New York: Springer-Verlag, c1992 / ISBN: 3-540-19610-2

[3] A short course on computer viruses / by Frederick B. Cohen / 2nd ed / New York : Wiley, 1994 / ISBN: 0-471-00768-4

[4] Security in computing / Charles P. Pfleeger / 2nd ed / Upper Saddle River, NJ : Prentice Hall PTR, c1997 / ISBN: 0-13-798943-1

LINKS:

• The history of computer viruses

• Computer Virus Timeline

• Viruses – Types and Examples

• Smart Computing® Dictionary/nonresident virus

• Type of viruses

• Introduction to Viruses