Thursday, April 16, 2009

Viruses, Trojans & Worms

Someone Once Said:
"The Average Virus writer is above 14 years & below the age of 23 & the virus writers of some evil viruses suffer from social loneliness." Well, I do agree with the age thing, but not the social thing. Most virus creators do not create viruses with the aim of creating havoc or destroying computers. Just out of interest they create a virus & then send it to their friends, & like most email viruses of today, they spread like anything.


Viruses:

A virus is basically an executable file that is designed such that it is able to infect documents, has the ability to survive by replicating itself and is also able to avoid detection. Usually to avoid detection, a virus disguises itself as a legitimate program that a user would normally not suspect it to be a virus. Viruses are designed to corrupt or delete data on the hard-disk, i.e. is on the FAT.Viruses can be classified into the following categories:
  1. Boot Sector Virus (MBR):

    These viruses can be created without much difficulty & infect either the master boot record of the hard disk or floppy disk. The boot record program responsible for the booting of the operating system is replaced by the virus. The virus either copies the Master Boot Program to another part of the HDD or overwrites it. They infect a computer when it boots up or when it accesses the infected floppy disk in its drive.

    Common Boot Sector Viruses: Michelangelo, Stone, etc...

    How does a boot virus strike??

    The user copies an infected file to HDD or a FDD.
    • When the infected file is executed, the virus is loaded into the memory.
    • The virus copies the boot record program to another sector & puts a pointer to it on the boot sector.
    • The virus then makes a copy of itself in the disk boot sector.
    • The next time the computer boots from the disk the virus loads itself into the RAM or memory & starts infecting other files.MBR is the first sector of the HDD that contains the boot record & also the additional details like partition table, etc. If The MBR is corrupted, then OS will not be launched.

  2. File or Program Viruses:

    Some program are viruses in disguise & when executed they load the virus in the memory along with the program & perform predefined steps & infect the system. They infect program files with extensions like .EXE, .COM, .BIN, .DRV & .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicating as soon as they are loaded into the memory. As file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted too has to be repaired or reinstalled.

    Some common File Viruses: Sunday, Cascade, etc.

  3. Multipartite Viruses:

    These viruses are the hybrid variety; they can be best defined as the cross between both Boot Viruses & File Viruses. They not only infect files but also infect the boot sector. They are more destructive are more difficult to remove. First of all, they infect program files & when the infected program is launched or run, the multipartite viruses start infecting the boot sector too.Now, the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected. After the boot sector is infected, when the system is booted, they load into the memory & start infecting other program files.

    Some common examples: Invader, Flip, etc.

  4. Stealth Viruses:

    These viruses are stealthy in nature & use various methods to hide themselves to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection & hide from virus scanners. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Some of these viruses like Whale conceal the increase in the length of the infected file & display the original length by reducing the size by the same amount as that of the increase, so as to avoid detection from the scanners.

  5. Polymorphic Virus:

    They are the most difficult viruses to detect. They have the ability to mutate implying that they change the viral code known as the signature each time they spread or infect. Thus, anti-viruses which look for specific virus codes are not able to detect such viruses.

    How does a polymorphic virus strike?

    a. The user copies an infected file to the disk.
    b. When the infected file is run, it loads the virus into the memory or the RAM.
    c. The new virus looks for a host & starts infecting other files on the disk.
    d. The virus makes copies of itself on the disk.
    e. The mutation engines on the new viruses generate a new unique encrypted code, which is developed due to a new unique algorithm.Thus it avoids being getting detected from checksum scanners.

    What is a Viral Signature?

    Basically, the signature can be defined as the specific fingerprint of a particular virus. It is a string of bytes taken from the code of the virus. Antiviral softwares maintain a database of known virus signatures & look for a match each time they scan for viruses. As we see a new virus almost everyday, this database of virus signatures has to be updated regularly.

  6. Macro Viruses:

    Macros allows a particular task that is performed by a user quite often to be repeated again & again by just clicking a play button. They are a set of automated instructions or tasks, which make work more efficient & fast for the users. Now beneath every MS Office Application, there is a VB Engine, which runs behind the scenes & can be used for advanced VB Coding.So macro viruses are viruses that consist of evil or viral macro VBA code that can create havoc in the computer it is executed. These viruses spread very quickly & some have random activation, as in their code can be included many of VB’s event handlers.

    Macro viruses are not platform specific, i.e. a macro virus to infect a system, the document with the embedded evil macro has to open.

How Viruses infect the systems?

We discussed that stealth viruses & polymorphic viruses are difficult to detect… the question arises why? Let’s take the example of what most antivirus softwares do to detect a virus.Now, most antiviruses use a technique called as check-summing. You must know that an executable file cannot change (like a data file) unless the program is upgraded. So, the check-summer in the antivirus observes all the executable file size with the check-sum. So, as stealth virus reduces the size by the same amount as the increase, antiviruses, that use only check-summing methods are not able to detect them.

Polymorphic viruses on their part have the ability to mutate & change their known viral signatures & hide from signature based antiviruses, which compare the signature of executable files to the database of known viral signatures & thus cannot detect new viruses.
Thus check-summers can’t detect the stealth viruses whereas signature based virus scanners can’t detect the polymorphic viruses.

In comes the heuristic scanner which does not scan for viruses using signature based techniques, but uses a smarter way. It scans the drive for typical viral codes & behavior. But such scanners have a downside too; sometimes they give false alarms & declare an uninfected file to be a virus.

Windows does not include an anti-virus program. However, it includes several features that make it difficult for viruses to infect your computer. It does this by using the following features:

  • Blocking Direct Disk Access:Write on ROM BIOS using the port INT25h & INT26h
    Recognizing MBR modifications:Deadlier Viruses try to modify or write to the MBR through INT13h chain.
  • Identifying Unknown Device Drivers:Windows maintains a list of all the real-mode device drivers that can be safely replaced with its own protected-mode drivers. Now, say, you add a new device driver, which uses the INT13h or INT21h chains. Then Windows checks to see if it is in the list of drivers that can be safely replaced. If not, then windows is programmed such that it would be able to access drives using only MS-DOS compatibility mode & not the normal protected mode.

Next : Trojans