Building your PC:
Viruses, Worms and Trojans
A computer virus is defined as a self-replicating program that spreads by inserting copies of itself into documents or other applications (executable code). In this respect a computer virus is analogous to a biological virus which infects a body's cells, takes over the cell's genetic machinery forcing it to create copies of the viruses which then infect other cells and other organisms (the host). By analogy a computer virus is said to infect the document or application code in which it resides and this infected code is called a host.
Because of the development and deployment of anti-virus software viruses in the strict sense of the term (as defined above) are far less common than they used to be. However, other forms of malicious software (generally termed malware such as Spyware, worms and trojan horses have become more prevalent. In common parlance viruses, worms and trojans are generally lumped together as a whole (and are dealt with in this article) whilst spyware, which has a different route of infection, is treated separately.
Page Map |
|
|---|---|
| Viruses: A History | Viruses: How they Hide |
| Worms: A History | Viruses: Protecting Yourself |
| Trojan Horses: A History | Join the Mailing List |
| Viruses: How they Replicate and Infect |
Viruses: A History
The first computer virus, the Elk Cloner was written in 1982 and attached itself to the Apple DOS 3.3 operating system, being spread via infected floppy disks. The first PC virus (c)Brain being developed in 1986. During these early days viruses tended to spread through the exchange of floppy disks as large-scale computer networks were in their infancy. It was only in the early 1990s, with the advent of software exchange via Bulletin Board Systems (BBS) and the development of shareware that viruses first began to garget and infect applications delivered via the internet. By the mid 1990s virus authors began to target the scripting language used by Microsoft in its Office applications. Such macro viruses became a real problem in that they could be spread by any machine running the Microsoft Applications (even Mac computers running Office applications could spread these viruses though they could not be directly infected by them). These days viruses tend to be spread by e-mail and instant messaging. Many having been written to automatically e-mail themselves over a network.
Worms: A History
A worm is very similar to a virus in some respects in that it is a self-replicating program. However, unlike a virus a worm is an entirely self-contained piece of software that does not need to be part of another program or a document. A worm can replicate by itself, using the networking capabilities of modern computers as a means of distribution. Worms therefore consume bandwidth and adversely affect network performance. A worm is therefore more like a malaria parasite than it is a virus. The characteristics of a worm were first posited by John Brunner in his 1970s Science Fiction novel The Shockwaver Rider and the term worm comes from that novel. However, it was not until 1978 that the first worm was written by researchers at Xerox PARC. The first truly malicious worm, the Morris Worm was released in 1988 where it spread through a number of bugs and security holes in BSD Unix and infected a large percentage of internet hosts.
Trojan Horses: A History
A Trojan Horse represents a malicious program that is disguised as legitimate software. It is named after the subterfuge employed by Odysseus in Homer's Iliad to gain ingress into the walled city of Troy. By analogy Trojan Horse software generally looks interesting and innocuous to the unsuspecting user but they are actually harmful when executed. Unlike viruses and worms, trojan horses cannot replicate themselves. They must be physically downloaded and executed. When executed a Trojan Horse is almost always malicious in its intent, though latterly Trojans have become the means for deployment of spyware. The latest generations of Trojan Horses are beginning to include code for the replication of such malicious software by e-mail and over networks. As a result Trojans are becoming far closer in nature to viruses than they have been previously.
Viruses: How they Replicate and Infect
Unlike naturally occurring viruses, computer viruses cannot evolve and mutate by themselves. The rapid development of novel malware is almost entirely mediated through the actions of human programmers. All viruses are deliberately created by programmers and though a minority are not directly intended to be malicious they can still consume system resources and cause unexpected damage. Like their biological counterparts computer viruses often cannot directly replicate by themselves. To do this they must execute code and write to memory. As a result may viruses attach themselves to legitimate code and are executed along with them.
Broadly, viruses can be divided into two main categories: Non-resident Viruses. This type of virus immediately searches for new hosts that can be infected and upon infecting them transfers control to the newly-infected code. This new replication module then searches for new hosts to infect and so on... Resident Viruses. This type of virus loads itself into memory as soon as its host application is executed and then it transfers control to the host program. The virus generally remains active in the background and infects new hosts as they access the infected files. For replication viruses need to infect regions of code that are frequently accessed by the computer. As such they tend to infect executable files (such as .exe files in Windows), the boot sectors of disks, the master boot record of a hard drive, script files such as Windows batch files and documents (such a MS Office documents) that contain Macros.
In contrast, worms are self-replicating pieces of code. They access network protocols and copy themselves across these networks, consuming bandwidth.
Trojan Horses generally masquerade as useful applications with the vast majority of Trojan Horse infections occurring because the user has executed an infected program. Many are now delivered as attachments to e-mails and this is the reason to be wary of any unsolicited attachment. It is also possible to be infected by visiting a malicious website and Microsoft Internet Explorer is often targeted by such sites. If your computer is running a home network then you may have open HTTP (web) or FTP (file transfer) ports and these can be accessed by Trojans. Indeed, Trojans are often used to directly open these ports so that hackers and virus writers gain a 'back door' allowing remote access of your machine. A firewall can be (and should be) used to limit access to open ports but it is not a totally impenetrable solution as access to the internet is still required by the user.
Viruses: How they Hide
In an analogous way to the competition between biological hosts and their viruses there is an equivalent competition between computer virus developers and the authors of anti-virus software. As the obvious means of detecting computer viruses have been plugged by the anti-virus software virus developers have had to become more stealthy in their means of attack. Viruses have become more and more 'stealthy' and clever in their means of infection. They have to side-step the main means by which anti-viral programs detect them. One good example of this is 'selective infection'. A computer virus' main purpose is to replicate itself. As such it attaches itself to other computer code whereby it is executed and can replicate. However, all anti-viral applications perform an integrity check on themselves to see whether or not they have been infected. As a result many virus programs are written so as not to infect anti-virus programs. Anti-virus applications are now deploying 'bait' or 'goat' files that seek to be enticing to viruses and become infected. The authors of viruses are attempting to avoid infecting these files and so the battle goes on.
Some viruses infect only specific file types and they intercept any requests made by anti-virus software to such files/applications so that they pass an uninfected copy of the file/application back to the anti-virus program making it seem that no infection has occurred. Many viruses or family of viruses have characteristic byte-code signatures and anti-virus applications search for these. A scan for these signatures is made and the offending code can be removed. The latest generation of viruses alter their own code on each infection so that no stable signature is generated.
A new generation of advanced viruses are using encryption algorithms to encipher the viral code. On each decryption and replication cycle a new encryption key is randomly chosen so that the only stable part of the virus remains the decryption component. This makes detection of such viruses difficult, but not impossible. A variant of this is the Polymorphic Virus. This class of computer viruses also modifies the decryption algorithm on each encryption cycle so that no part of the virus remains the same. In this class of viruses we have something approaching the behaviour of a biological virus. Because the virus is continually changing it takes a long time before anti-virus software vendors can gain a large-enough sample of the virus to be able to identify it. Even if the virus is identified there may still be variants out there that are sufficiently different to avoid detection. This very closely resembles the interaction between the human immune system and the influenza virus.
Viruses: How to Protect Yourself – and Others
|
The virus problem is a persistent and malicious one and the only way to slow down the problem is to install anti-viral software, which everyone should do regardless of the operating system being run as Mac OS/Linux/BSD though not greatly prone to viruses can still be used to transmit them.] There is an analogy to human immunity here. Vaccination programmes in humans work by directly immunizing at least 80% of the population. The remaining un-immunized people are protected because of the phenomenon of 'herd immunity'. As long as the immunized population remains at 80% there are not enough infected individuals to transmit the disease to un-immunized individuals. Once the level of immunized members of a population falls below 70% then an epidemic is likely. The same is true for computer viruses. As long as most of us utilize anti-virus software and keep our virus definitions up to date then the worst excesses of viruses can be alleviated. |
The only way to protect yourself and to protect others by 'herd immunity' is to install anti-viral software. This should be software that scans your system, removes viruses but which also scans all your e-mails and any downloads you make for malicious code.
A further way that computer networks can help ameliorate the spread of viruses is to be heterogeneous. A mix of Windows and Unix systems on a network is a good thing. This is partly because a virus needs to be written to specifically target a specific operating system. In addition, Unix operating systems (Mac OSX, Linux, BSD, AIX etc) are inherently more secure. This is because there is a separation between what the user can do and what the system can achieve. Unix natively blocks users from being able to make changes at the system level whilst Windows does not. Thus, though there are viruses for Unix-based OSs they tend to be curiosities rather than active problems. Such viruses require that a user run them explicitly and thus they cannot spread to any great degree. Windows as the most common operating system and because a normal user has access to the system level is both insecure and heavily targeted by the authors of viruses.
The threat from viruses/worms/trojans is very real and each and every computer user has a responsibility to ameliorate the threat. You should all have some kind of antivirus software installed. You should update your virus definitions regularly and you should install any software and security patches that your operating system vendor issues.
|
If you enjoyed this page and would like to get more tips, tricks and offers to help you make the most of your most of your web presence please sign up for my Weekly e-mail newsletter. Please note that your details will never be sold and shared with others. You are signing-u for my e-mail only. |
|
A quick and simple way to fix and optimize your Registry.
|