« I made it | Main | Little Bavaria in the Rockies »

December 27, 2004

A short introduction on computerviruses (-virii)

Definition

A computervirus is a program that multiplies itself, just like the biological virus. That’s the basic definition, but common use of the word computervirus is a little more biased:
A computervirus is a malicious piece of code written with the intention to harm as many systems as possible. It is rather a philosophical decision witch definition one prefers.

Architecture

All viruses are build out of the same components (note that all but the first one are optional):

  1. Replication code: Spread the virus to other files, diskettes, systems, ... . Also contains a selection routine, that determines which target is chosen next.
  2. Avoid-Detection code: Hide the virus from simple pattern scanner through code changes with every replication (see Polymorphic virus)
  3. Action code: Triggered by a certain event (e.g. a special date). Can be harmful (e.g. deleting data) or just a gag screen ("give me a cookie").

The virus types

Bootvirus

This type of virus resides in the bootsector of diskettes or harddisks. As these sectors are read at a very early stage of the boot-process the virus is already memory-resident before any antivirus-software can be active. These viruses are spread by booting from an infected device on a clean system. Protection: Do not boot from untrusted disks. Disinfection: On DOS-based-systems "fdisk /mbr" rewrites the master boot record and thus overwrites the virus.

Filevirus

Executable files (.COM, .EXE, .SYS) were the targets of this virus-type, now Windows extended this list with (.DLL, .SCR, .DLL, ….). When a file is infected the virus replaces the original file-loading code with its own code with the result that the virus is executed before the actual program. Protection: Do not execute untrusted programs. Disinfection: Only with antivirus software (not always possible, since sometimes original program data is lost).

Macrovirus

Modern office suites like Microsoft Office offer powerful macro-languages. This macro code can be embedded into documents, thus making them ideal hosts for computerviruses. Protection: Do not execute untrusted documents, disable auto-execution or all macro functions Disinfection: With antivirus software or via copy and paste of document content into a clean one

Trojan horses

Like in ancient Troja, things are not always what they seem. A program that offers some nice function may do some nasty things in the background. Often these programs promise something unrealistic like doubling the processor speed. Protection: Do not execute untrusted programs, download only from trusted organisations Disinfection: Just delete the program

Backdoor programs

These programs are similar to Trojan horses, since they do not hook on any other program either. When active a backdoor program enables a hacker to access the infected machine over a network. This access may range from just reading some files (or passwords) to full control of the system. A well known backdoor program is Back Orifice. Protection: Do not execute untrusted programs Disinfection: Delete program (may be tricky, antivirus software may be of help)

Worms / Email-viruses

These viruses replicate over networks (mostly via email). Some worms use bugs in the operating system or mail program, but most rely on user interaction (like the Loveletter virus required the user to execute the attached visual basic script). Protection: Do not execute untrusted email attachments, do not use html-mails, disable potential security risks like VBS, apply latest security patches to OS and mail program, set up your system to show extensions of known file-types Disinfection: Delete email / program (may be tricky, antivirus software may be of help)

Hoax

A warning of a virus that doesn’t exist is called a hoax. The warning itself is the virus. These warnings, mostly in the form of emails, contain horrible descriptions of what the virus will do to your system and often quote big companies like IBM or Microsoft confirming that the virus is really bad. There are also other hoaxes or chain-letters that refer to other invented stories – they all advice you strongly to forward the mail to every one in your address-book. The damage that is done by these mails is hard to measure, but the consume expensive bandwidth on our always-slow network connections. Protection: Tell your email-buddies not to forward any virus warnings – at work it is the duty of your system administrator to warn the employees of possible dangers. Use your common sense. Disinfection: Delete email and do not forward it.

Polymorphic virus

Some viruses try to avoid detection by antivirus software by changing their code with every replication. Luckily this only fools very simple pattern scanners. This trick my be used by every type of virus (so no special protection or disinfection tips here).

Remarks

  • "Untrusted" refers to files or disks that were downloaded from servers where you cannot be sure of the trustworthiness of the operator, that were sent to you without request and were not checked with an up-to-date antivirus software.
  • Always use your common sense – information is the best protection against computerviruses.
  • A recent backups of your data are essential for every serious computer user, too (not only viruses can harm your system).
  • Keep your antivirus software up-to-date.
  • Disable possible security risks, like VBS or macro extensions of your software and enable them only if you explicitly need them.
  • Change the boot-sequence to boot from harddisk first.
  • If you have discovered a virus on your system remain calm, do not exchange data with other systems any more. Try to identify the virus and take appropriate actions. Upon disinfection scan all possibly infected media. Warn all people you recently exchanged data with, especially the source of the infection. At work contact your system administrator or designated virus-institution.

Antivirus software

Always protect your system with an up-to-date antivirus software. It is also advisable to have a bootdisk with an executable antivirus software at hand in case your system cannot start after a virus attack. The system has to be scanned regularly, as well.

There are different possibilities for antivirus software to discover an infection: The techniques that are used here are pattern scan (identify the virus by a typical code signature – can be tricked by a polymorphic virus), heuristic scan (search for code patterns typical for virus-like activities – my produce false alarms when scanning low-level system utilities), checksum scan (monitor file changes – since executables shouldn’t change a change would indicate an infection) and background scan (monitor the system for virus-like activities and scan every file that is created, opened or executed – may decrease system performance).

Since today almost every computer is connected to the internet a personal firewall is advisable, too. These programs monitor the ports of your network connection (especially the well-known ports used by backdoor programs) and can prevent hackers to access your system.

Advertisement

For more information (in German) and links to free and commercial antivirus software visit ma-de.de.

Posted by marco at December 27, 2004 11:14 PM in Category

Google
 
Web marcofrom.com

Post a Comment




Remember Me?

(You may use HTML tags for style)