|
The importance of Antivirus Software
From Wikipedia, the free encyclopedia.
In computer security
terminology, a virus is a piece of program code that,
like a biological virus, makes copies of itself and spreads by
attaching itself to a host, often damaging the host in the
process. The host is another computer program, often a
computer operating system, which then infects the applications
that are transferred to other computers. The plural of virus
is viruses, not virii, which is sometimes used incorrectly,
both knowingly and otherwise. See plural of virus.
As with all code,
viruses use the host's resources: memory and hard disk space,
amongst others, and are sometimes deliberately destructive
(erasing files / formatting hard disks) or allow others to
access the machine without authorization across a network.
The term is often used
in common parlance to describe all kinds of malware (malicious
software), including those that are more properly classified
as worms or trojans. Most popular anti-viral software packages
defend against all of these types of attack.
There are a few
relatively "harmless" viruses that have been written to
perform a simple task (such as flashing a single message onto
the user's computer screen). A small percentage of viruses are
the result of computer code that operates in an unexpected
manner, but the majority of viruses are programs deliberately
written to interfere with, or damage, other programs or
computer systems.
The
term "virus" was first used in this sense in print by Fred
Cohen in his 1984 paper Experiments with Computer Viruses,
where he credits Len Adleman with coining it. However, a
mid-1970s science fiction novel by David Gerrold, When
H.A.R.L.I.E. was One, includes a description of a fictional
computer program called "VIRUS" that worked just like a virus
(and was countered by a program called "ANTIBODY"); and John
Brunner's 1975 novel The Shockwave Rider describes programs
known as "tapeworms" which spread through a network for the
purpose of deleting data. The term "computer virus" with
current usage also appears in the comic book "Uncanny X-Men"
No. 158, published in 1982. Therefore, we may conclude that
although Cohen's use of "virus" may, perhaps, have been the
first "academic" use, it had been in the common parlance long
before that.
A program
called "Elk Cloner" is credited with being the first computer
virus to appear "in the wild" -- that is, outside the single
computer or lab where it was created. Written in 1982 by Rich
Skrenta, it attached itself to the Apple DOS 3.3 operating
system and spread by floppy disk.
Since the mid-1990s,
viruses which infect operating systems or applications
directly have been eclipsed by macro viruses. Written in the
scripting languages for Microsoft programs such as Word and
Outlook, these viruses spread in the Windows monoculture by
infecting documents and sending infected e-mail. Although
Windows is the most popular operating system for virus
writers, viruses numbering in the single digits have been seen
on Mac OS X. Some viruses also exist on other Unix based OSes.
It is important to note that any operating system that allows
third-party programs to run can theoretically run viruses.
However, some operating systems are less secure than others.
Unix-based OSes (and NTFS-aware applications on Windows NT
based platforms) only allow their users to run executables
within their protected space in their own directories.
Nature of viruses
While viruses can be (and often are)
malicious, destroying data, many are fairly benign or merely
annoying (for example, displaying a message to the user). Many
such viruses have a delayed payload, playing a message on a
specific holiday, day of the month, or time of day; or waiting
for a certain number of infections or reboots, or randomly
occurring with a small chance.
The predominant
destructive effect of viruses is their uncontrolled
self-reproduction, which wastes or overwhelms computer
resources.
"Good" viruses have also appeared that
spread improvements to the programs they infected, or delete
other viruses. These are, however, quite rare, still consume
system resources, and may accidentally damage systems they
infect.
Anatomy of viruses
Most viruses just consist of a
finder and a replicator. The finder is responsible for finding
new and yet uninfected files. For each new executable file the
finder finds, it calls for the replicator to infect that file.
The replicators task is to 1) open the new file 2) append the
virus code to the executable file 3) save the executables
starting point 4) change the executables starting point so
that it points to the location where the newly copied virus
code starts 5) save the old start of execution point to the
virus in a way so that the virus branches to that location
right after its execution. 6) save the changes to the
executable file and 7) return to the finder so that it can
find new files for the replicator to infect.
However,
this only applies to quite simple viruses.
Most
viruses also contain some sort of bomb that goes off when a
certain condition is met. A bomb is mostly located at the
beginning of the virus, and it might for example try to erase
all files on the computer at a certain date, like on any
friday that happens to be at the 13th day in any month.
In addition, some viruses also encrypt their code
before injecting it to new executables to avoid detection from
antivirus-software. Such viruses must, obviously, decrypt
their code before running it. In order to do that, such
viruses have a decryption engine at the very beginning of
their body and an already encrypted encryption-engine
somewhere in their replicator.
Mostly, the decryption
for viruses is fairly simple and done by xoring each byte with
a randomized key that was saved by the parent virus. Most
often, the encryption- and decryption-engines are the same,
but used with different keys for the xoring. See xor for more
information about that.
However, while not being able
to detect the actual virus code (because it is encrypted),
antivirus-software can still detect the decryption-engine
located in the front of the body of such viruses by comparing
the byte pattern of the decryption-enginge. To avoid such
detection, some state-of-the-art viruses mutate their
decryption engines for each new copy of themselves. Such
viruses are said to be polymorphic, and are much harder to
detect. To enable polymorphic code, the virus has to have a
mutating engine somewhere in its encrypted body.
Replication Strategies
A virus requires several
features from its host software to successfully duplicate
itself. It must be permitted to execute code and write to
memory. For this reason, many viruses attach themselves to
useful programs, in the hope that users will run those
programs (and therefore the virus).
Before computer
networks became widespread, most viruses spread on removable
media, particularly floppy disks. In the early days of
personal computers, many users regularly exchanged information
and programs on floppies. Some viruses spread by infecting
programs stored on these disks, while others installed
themselves into the disk boot sector, ensuring that they would
be run when the user booted the computer from the disk.
As bulletin board systems and online software exchange
became popular in the late 1980s and early 1990s, more viruses
were written to infect popularly traded software. Shareware
and bootleg software were equally common vectors for viruses
on BBSes. Within the "pirate scene" of hobbyists trading
illicit copies of commercial software, traders in a hurry to
obtain the latest applications and games were easy targets for
viruses.
Many personal computers are now connected to
the Internet and to local-area networks. Today's viruses take
advantage of standard network protocols such as the World Wide
Web, e-mail, and file sharing systems to spread, blurring the
line between viruses and worms.
Hiding Strategies
In order to stay alive, some well
written viruses employ different kinds of obfuscation. Some
old viruses (especially in MS-DOS) alter the information
attached to the files they infect, such as the "last modified"
date and the recorded filesize. Antivirus software that just
searches for recently edited files or files that have changed
in size will not notice the virus's presence in this case.
Note that changing the information stored about the size of
the file is not the same thing as actually changing the size
of the file under MS-DOS. This approach does not fool modern
antivirus software.
Another hiding technique, a method
DOS-era viruses commonly used to spread, is to infect the hard
disk drive instead of the files saved on it. At bootstrap the
computer runs the code located in the boot sector, which has
been replaced by virus-code. The virus loads itself from the
hard disk into memory and makes itself memory resident, then
loads the original bootsector into memory and transfers
control to the code in it. This way, not even the operating
system notices the presence of the virus.
As computers
and operating systems grow larger and more complex, old hiding
techniques need to be updated or replaced. The stealth methods
of modern viruses often try to exploit the failings of modern
antivirus software in trying to detect viral presence. Most
modern antivirus programs try to find virus-patterns inside
ordinary programs by scanning them. If they find a
byte-pattern that corresponds to any specific virus-pattern,
the antivirus software tries to remove, contain, or delete the
virus/file.
The CIH virus, or Chernobyl Virus,
infected Portable Executable files. Because those files had
many empty gaps, the virus, which was 1 kilobyte in length,
did not add to the size of the file.
Modern
state-of-the-art viruses try to encrypt themselves in order to
avoid being detected by an antivirus search. This is often
done with a combination of encryption and self-modifying code.
A virus that uses this technique is said to be polymorphic.
There are usually two different parts of the virus
when we speak of polymorphic viruses: The
encryption/decryption engine and the infector. The crypto
engine encrypts/decrypts the infector. Each time the virus
runs it uses a different cryptokey. The crypto engine cannot
encrypt itself, because if it did, there would be no code to
decrypt the engine next time the virus ran. Therefore, the
crypto-engine has to use a form of self modifying code to
modify itself differently each time it runs, without any part
of the original algorithm getting lost. This is possible to do
with a good knowledge of assembly language and the use of
polymorphic code.
Viruses and popular software
Another analogy to
biological viruses is worth noting: just as genetic diversity
in a population decreases the chance of a single disease
wiping out a population, the diversity of software systems on
a network similarly limits the destructive potential of
viruses.
This became a particular concern in the
1990s, when Microsoft gained market dominance in desktop
operating systems and office software. Users of Microsoft
software (especially networking software such as Microsoft
Outlook and Microsoft Internet Explorer) are particularly
vulnerable to the spread of viruses.
Integrated
applications, applications with scripting languages with
access to the file system (eg: Visual Basic Script, or VBS,
and applications with networking features) are also
particularly vulnerable.
Viruses and software development
Because software is
often designed with security features to prevent unauthorized
use of system resources, many viruses must exploit software
bugs in a system or application to spread. Software
development strategies which produce large numbers of bugs
will generally also produce potential exploits.
Closed-source software development as practiced by
Microsoft and other commercial software companies is also seen
by some as a security weakness. Open source software such as
Linux, for example, allows all users to find and fix security
problems without relying on a single vendor. Some advocate
that commercial software makers practice vulnerability
disclosure to ameliorate this weakness.
Countermeasures
Many users install anti-virus software
that can detect and eliminate known viruses after the computer
downloads or mounts the executable. Some virus scanners can
also warn a user if a file is likely to contain a virus based
on the file type; some antivirus vendors also claim the
effective use of other types of heuristic analysis. Some
industry groups do not like this practice because it often
increases the number of false positives the anti-virus
software detects. They work by examining the contents of the
computers memory (its RAM, and boot sector) and the files
stored on fixed or removable drives (hard drives, floppy
drives), and comparing those files against a database of known
virus signatures. Some anti-virus programs are able to scan
opened files in addition to sent and received emails 'on the
fly' in a similar manner. This practice is known as "on-access
scanning." Anti-virus software does not change the underlying
capability of host software to transmit viruses. Users must
therefore update their software regularly to patch security
holes. Anti-virus software also needs to be updated in order
to gain knowledge about the latest threats and hoaxes.
A well-patched and well-maintained Unix system is very
well-secured against viruses. Windows has the same type of
scripting ability as Unix-based systems, but doesn't natively
block normal users from executing such scripts written by a
third-party as Unix does for users who are not running as
root. More recently, Microsoft's Outlook (but not Outlook
Express) e-mail client has developed similar features when
dealing with executable file types that Outlook may download
as attachments. Ordinary users would do well to patch their
operating systems and e-mail clients to prevent viruses and
worms from reproducing through security "holes" which prudence
(and most virus scanners) are unable to prevent.
|
