December 13, 2013

3.1.2 Virus

Virus

Based on a Google definition, a biological virus is “an infective agent that typically consists of a nucleic acid molecule in a protein coat, is too small to be seen by light microscopy, and is able to multiply only within the living cells of a host.”

A biological virus introduced into a living cell can reproduce, corrupt and/or destroy cells in the host. A computer virus as the name suggests “infects” computers. It is software code written to perform surreptitious and often malicious activity on the system. It is embedded (hidden) in a “host” program. When the host program is introduced into a computer system and run, the virus is activated and can cause harm by interfering with the normal operation of the system.

Merriam-Webster defines a computer virus nicely as – “a computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action (as destroying data)”.

Computer viruses, like their biological counterpart can copy itself onto new programs on the system. Viruses will lie dormant until the infected program is run or activated in some way. Once activated and depending on how it was programmed, the virus will:
  • self-replicate, by copying and attaching itself onto other programs
  • delete data and applications
  • alter/modify data, applications and/or configurations
  • mutate, i.e. change the way it works in order to go undetected
  • steal confidential information from the infected device
All viruses are harmful. Even the benign ones “infect” systems surreptitiously and consume system resources. A virus corrupts or deletes data, alters configurations and can even steal information.

A virus is a program that reproduces its own code by attaching itself to other executable files in such a way that the virus code is executed when the infected executable file is executed.

In biology, a vector is an organism that transmits infections from one host to another. A mosquito is a vector for transmitting diseases such as malaria. A computer virus cannot infect a computer on its own. It needs a vector to carry it from one host to another. The act of executing an infected program or visiting an infected website or simply copying an infected program from one host to another, spreads the infection.

Virus developers take advantage of social engineering techniques, lax processes by software developers, administrators and users, and exploit bugs in programs to further spread their viruses.

Here are a few examples of virus types:
  • Parasitic Virus – this type of virus infects an executable file on a computer. The infected file remains intact but when the file is executed, the virus runs first.
  • Boot Sector Virus – a boot sector or Bootstrap virus is placed into the boot sector of the primary hard drive. When the computer is booted, the virus gets loaded into memory.
  • Macro Virus – are viruses written in the scripting languages of the host application – a virus written in VBScript inserted into a Microsoft Office document or a virus written in JavaScript inserted into an HTML document
  • Encrypted Virus – a mechanism to avoid detection; Two parts to a virus – decrypted and encrypted – the business end of the virus is encrypted.
  • Polymorphic Virus – this type of virus can change form each time it is executed so as to avoid detection – with no fixed signature for antivirus software to latch onto, detection and removal is made more difficult – usually composed of two parts: front-end and body – the front-end changes with each iteration – body code is usually encrypted, the front-end contains the decryption code.
  • Metamorphic Virus – are body-polymorphics – i.e. the body of the virus itself changes each time it is replicated – more difficult to write and to detect than a polymorphic virus. “Metamorphic viruses do not have a decryptor, or a constant virus body. However, they are able to create new generations that look different.”
  • Zero Day Virus – a virus that takes advantage of vulnerabilities unknown to the vendor or the public – the race to a virus protection starts after the virus has been identified, at that time the application and anti-virus vendors will start working on a fix specific to the vulnerability, before then (zero-day) the attacker can exploit the system at will.
  • Blended Attacks – combines attack profiles from different kinds of malicious software – requires a “blended” approach to containment, including anti-virus, firewall/IDS, application and operating system patching – resolution calls for a multi-layered security solution.
The best counter-measure to a virus attack is an anti-virus scanner that is updated regularly and is applied against all storage devices and communication channels. It is also important to educate users to minimize transmission vectors such as software engineering, the download and execution of infected software from websites and e-mail messages.

Effective virus infection countermeasures should take a multi-layered approach starting with taking precautions to prevent infections in the first place. When that does not work, the use of anti-virus software, keeping operating systems and applications up-to-date, and restoring from known-good backups is recommended.

Virus infection prevention and countermeasures include:
  • Use an anti-virus software and keep it updated
  • Keep the operating system software updated and patched
  • Patch the application software regularly
  • Disable automatic execution of macros
  • Take precaution when visiting websites and opening email messages with attachments
The best virus infection countermeasure is to take steps to not be infected.

Comparing Viruses, Worms and Trojan Horses

Virus vs. Worm vs. Trojan Horse

References