Abstract
The recent popularity in home computing has created a playground for programmers with misdirected talent to wreak havoc. Perhaps the most respected form of vandalism amongst the more destructive programming community is the creation of viruses. Increased media coverage and the images cinema portray of this kind of hacker have both contributed to the related increase in viral programming and viruses now hold a large threat to modern computing, particularly with the data exchange found on the Internet. The following essay discusses the evolution of computer viruses and the anti-virus software measures used to combat them.
I believe this to be both an interesting and important subject to study as malicious software such as viruses threaten the computing network that has such an influence on our lifestyle that we have practically become dependent on its existence. Home users, businesses and even the very military networks that control weapons systems have all been infected by such software and have become victim to huge damages and the future will continue this vulnerability unless the matter is confronted.
From the earliest viruses, which had absolutely no anti-virus software to fear, caused mass damage, regardless of their simplicity. Today, as measures have been taken to control the spread of computer viruses, they have become more complex and more dangerous. In order to deconstruct and evaluate this problem, this essay has been divided into sections: an introduction; the classification of a virus; the history of viruses; symptoms that many viruses seem to cause; anti-virus software; the way in which viruses combat these methods to control them; and a conclusion.
The essay reaches the conclusion that computer viruses will probably never be prevented, nor sufficiently controlled, as they will become more and more complex in their aims of defeating our attempts to stop them.
Acknowledgements
I would like to take this opportunity to thank my assignment supervisor, for his assistance in completing this essay and his help during the proofreading and correction/improvement phases of writing. Also, for providing some source material used in this essay, I'd like to acknowledge the following libraries and educational institutions: Birmingham Central Library, Birmingham University Library and the Information Centre at the City Technology College, Kingshurst.
- Abstract
- Acknowledgements
- Contents
- IntroductionA comparison between biological viruses and computer viruses - The potential threat they pose
- Section One: What is classified as a 'virus'?The origins of the term 'virus' - Essential qualities of a virus - Explanation of the four phases a virus 'lives' through - An example of the structure of a virus in pseudo code
- Section Two: How were viruses first created?The first introduction of the concept - The first attempt at self-replicating software - The concept made available to the public in its portrayal in science fiction - Fred Cohen's term to describe such software - Modern Viruses - An example of viral source code
- Section Three: What symptoms can we look for to tell if a virus is present?Several consequences that may be experienced as a result of a viral infection
- Section Four: Anti-virus softwareAn introduction to anti-virus software - Explanations of the different detection methods - What anti-virus software may do after detection - An evaluation of the effectiveness of this software against viruses
- Section Five: Survival tactics An explanation of some of the ways viruses attempt to deceive anti-virus software
- Conclusion Suggestion to prevent viruses in a short-term time frame - A suggestion to prevent viruses in the future - A prediction of viruses in the future
- Bibliography
Introduction
Throughout history, humans, plants and animals have been plagued with biological viruses that either harm or even kill their hosts to ensure their own survival. These viruses cannot continue to exist on their own and must inject their own DNA into the cells of other living organisms. From this point on, the cells of the living host will continue to replicate this viral DNA, not knowing that this DNA is harmful to itself.
As mankind quickly enters further into its new digital age, biological viruses have been applied to computers, created by man to cause harm or cause complete destruction towards the computers that host them. This metaphor goes beyond the mere sharing of a name, however, as their behaviour also follows comparable patterns. Although not as severe as a threat to life, computer viruses do cause damage of devastating proportions in some cases. Since their creation, viruses have cost billions in damages for businesses, home users and even the governments of the world. It is clear that, whilst there is much confusion and misinformation about them, computer viruses pose an imminent threat to the computing community.
What is classified as a 'virus'?
The term 'virus', as applied to computers, was first coined by Fred Cohen and his doctoral supervisor, Leonard Adelman, in 1983 at the University of Southern California. He used the term virus to describe a destructive, self-replicating program. A virus has several criteria it must fulfil before it is actually classified a virus; one of these requirements that distinguishes viruses from other forms of malicious program is the ability to replicate by appending its code to legitimate files. Essentially, a computer virus has four phases that set it in a different category from other destructive programs such as Trojans and worms: dormancy, propagation, triggering and action.
Although the dormancy stage may seem a relatively unnecessary phase of the typical virus' lifecycle, it is in fact vital to its survival on the victim computer. During this period, the virus does nothing. This phase is often used by virus programmers to instil a sense of trust in the user, as if there is no malicious activity shortly after installation, the user is less likely to suspect a viral infection.
The propagation phase is essential for a program to be classified as a virus. During this phase the virus replicates itself by appending its code to hosts, in a way, which is analogous to the biological virus, with DNA.
The triggering phase, or activation phase, is launched by a specific condition being met, specified by the author of the virus. This may be related to the number of copies that have been created or a certain date, however, any logical, testable condition may be programmed into the virus to allow it to progress to the next, final stage.
The action stage is where the virus carries out the process it was initially created to do. This may be a simple prank, such as displaying a humorous message or making a graphic appear on the screen. It could, however, have a more damaging affect on the system and, unfortunately, this is what happens most often. There are almost infinite possibilities of what a virus may do if it reaches this point. Sensitive data such as credit card numbers may be copied to other locations and transmitted to the author, system processes may be altered and whole hard drives may even be erased - viruses potentially pose a very high threat.
The basic structure of a computer virus is shown in pseudo code below:
program V :=
{ goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled :=
{return true if some condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
This structure highlights the phases that a virus 'lives' through. Dormancy is not shown here, but the code begins by instructing the virus on how to infect other programs. The subroutine "trigger-pulled" allows the virus to decide when to launch its payload by entering its action phase, which is defined in "main: main-program".
How were viruses first created?
The history of the evolution of the computer virus is somewhat contradictory as various sources claim different dates to correspond with events. The majority of those who are knowledgeable in this field of computing accept that computer viruses began their journey in the 1940s when John von Neumann published a paper called "Theory and Organisation of Complicated Automata". This text documented the possibility of replicating computer programs. Bell Labs 'gave life' to this theory in a game in 1950 called 'Core Wars' where two programmers battled for control of a computer by unleashing software 'organisms'. Two science-fiction books from the '70s promoted the concept of a computer virus, where they depicted worlds where software could transfer itself between computers without detection. Although the concept dates back to the '40s, the term 'computer virus' wasn't coined until 1983, when Fred Cohen used it to describe a destructive and self-replicating program. He defines a virus as "a program that can infect other programs by modifying them to include a, possibly evolved, version of itself."
The first non-research viruses were developed in the early 1980's, before Cohen's work, infecting Apple II's. The very first virus to be released "in the wild" was named Elk Cloner, written simply as a creativity challenge, and was reported in 1981. This virus was mostly benign and would print a message to the screen every 50th boot of the computer. It also played subtle tricks around every 5th boot, but did not try to harm data. It did, however, destroy Diversi-DOS disks if it tried to infect them.
Although Elk Cloner was the first virus created with a pre-determined idea to spread in this way in mind, there was another program created that was later modified to be accepted under the category of a virus. This was originally a game called 'ANIMAL' from the early 1970's that attempted to guess an animal that the player was thinking of by a game similar to 20 questions. As this became popular and the author was required to write the program to magnetic tape for distribution to each requestor, he wrote a subroutine called PERVADE - synonymous with 'saturate'. This subroutine created a copy of the game in another directory to make it available for another user. This was intended for distribution purposes of the game, but the fact that it was self-replicating allows this 'game' to be called a virus.
Below is the source code for a section of the subroutine PERVADE. The whole program is written entirely in Univac assembly language and this particular section, as the commented areas show, is run if a pervade-created file with the same name as itself is found in the directory it is attempting to save to. It compares the dates each one was created and decides which is newer. If the currently running one is new, it will overwrite the existing one with itself, otherwise it won't save and the other version will remain in the directory.
PVLKAR
TNZ
PFP+11
WAS ELEMENT FOUND IN USER FILE ?
J
PVLKOK
NO. DO SOMETHING ABOUT IT
REASON
'ALREDY'
INDICATE SAME VERSION IN FILE
LA,H2
A0,PFP+11
LOAD CREATION DATE FROM USER FILE
TNE,H2
A0,PFR+11
SAME AS DATE IN EXECUTING FILE ?
J
PERVDFN
YES. SAME ABSOLUTE IN USER FILE
REASON
'NEWER'
INDICATE NEWER ABSOLUTE IN USER FILE
LA,S6
A0,PFP+11
LOAD USER FILE YEARS
MSI,U
A0,12
CONVERT TO MONTHS
AA,S4
A0,PFP+11
ADD MONTHS
MSI,U
A0,31
CONVERT TO DAYS
AA,S5
A0,PFP+11
ADD DAYS TO TOTAL
LA,S6
A1,PFR+11
LOAD YEARS FROM EXECUTING FILE
MSI,U
A1,12
CONVERT TO MONTHS
AA,S4
A1,PFR+11
ADD MONTHS
MSI,U
A1,31
CONVERT TO DAYS
AA,S5
A1,PFR+11
ADD DAYS
TG
A0,A1
IS USER FILE COPY MORE RECENT ?
J
PERVDFN
YES. DON'T CLOBBER WITH OLDER COPY
There are several opinions as-to which virus was actually the first; several viruses have been recognised as the first in their particular field. The ANIMAL-PERVADE virus is accredited with being the first viral program in history (made in 1975), referring to a self-replicating program. The Elk Cloner virus is known as the first virus to appear "in the wild" (meaning the public domain). The Brain virus also competes for this title, created in 1986 but not showing noticeable infections until 1988.
From this point until present day, the remaining history of the computer virus is simply the creation and release of new viruses and modified strains of existing ones. The fact that viruses are created deliberately to cause destruction poses the inevitable question as to why this happens. The motivations behind a programmers efforts to create such a program, however, are numerous and varied. The most common motive is the desire for revenge by a disgruntled employee. Retaliation against a corporation accounts for 80% of cases. Whilst viruses are very difficult to write, allowing only skilled programmers to create them, it is fairly easy for the typical angry employee to release an existing virus. A different motive was behind the Pakistani Brain virus - one of the most widespread viruses known. This virus was created by a software company to prevent customers making copies of their software packages, which ironically were copies themselves. A recent variation on this motive has emerged in the USA, where a software pirate may plant viral code into the programs of a rival in an attempt to tarnish their reputation. Extortion and blackmail are other two other motives and an example has been seen in Europe, Thailand, South Africa and Zimbabwe. Thousands of unsolicited copies of a diskette claiming to contain advice on AIDS have installed a sophisticated Trojan horse on the systems or many organisations. The author included a message, asking the user to send money to a post office box in Panama for a cure. Although this program is not classified as a 'virus', it is often treated as such by the world's media. Political or ideological motives have also been the cause behind such programs. The Israeli PC virus discovered in December of 1989 was set to trigger on Friday the 13th, the first occurrence being on the 40th anniversary of the last day Palestine existed as a recognised political entity under the British mandate. The 'Fu Manchu' virus searches for text files containing the names of some famous politicians and appends the words "is a" plus an expletive. As there are such a variety of inspirations behind the creation of a virus, there are also many different types of virus.
What symptoms can we look for to tell if a virus is present?
The best way to find viruses on your system is to use anti-virus software, which will be discussed later in this essay. There are, however, some indications that a virus may have infected your system and is waiting to deliver its payload. Viruses always need an 'incubation period' to spread across systems before they enter their action phase. If they didn't spread during this time, they would quickly become extinct - just as biological viruses. As viruses infect new programs, these indications become more apparent.
The first and most obvious thing to look for is changes in file sizes. File infector viruses almost always change the file size of infected files as they append their own code to the file. In order to remain undetected, the function of the infected file must not be altered in any noticeable way, meaning that the original code cannot be replaced with their viral code. If the sizes of files, particularly *.COM or *.EXE files, increases for no apparent reason, an anti-viral scan throughout the entire system should be carried out immediately.
A change in interrupt vector mapping is another sign that a virus is present. An interrupt system is a method that computers use to handle some important processes. If a certain task requires immediate CPU attention, it may send an interrupt signal to the processor, which consequently temporarily halts all other processes while the task is completed. Some viruses may modify these interrupts for their own benefit and purpose.
Changes in file data and/or time stamps are other signs that a virus has infected them. A related indication is that the system clock may have been modified. There are many reasons that a virus may do this, one may be in order to meet a certain triggering condition earlier than the author anticipated. If the triggering condition is a set date, the virus may change the system clock to a date closer to this in order to enter its action phase sooner.
Just like any other program, viruses require computer resources, such as RAM and CPU time. Viruses often utilise a large portion of such resources, particularly if they are memory resident and control major system functions. This means that another symptom of a viral infection is slower running and/or booting times than usual.
Similarly to the previous indication, viruses, in addition to draining memory resources, often create an increased number of bad blocks in disks. If the operating system reports file corruption on a suspicious number of occasions, it may also be a hint that a virus has been infecting the system.
Anti-virus software
As these indications may be difficult to find, particularly for a less experienced user, there are products available that provide a kind of vaccination against computer viruses. This does not mean that they give immunity against viral infection to computers, but they do detect and more often than not are able to take some sort of action to create a safer system again. In addition to this, they can help users take some precautions against becoming infected in the first place.
As this kind of software works against computer viruses, it is known as 'anti-virus software' and there are many popular brands available such as Norton Anti-Virus and McAfee. The key to this software is detection, as once a virus has been detected, the file it is contained in can often be repaired, or at least quarantined so the viral code is not executed. Anti-virus software is becoming more sophisticated and at present can even detect unknown viruses. There are four major methods of virus detection used by this type of software: scanning, integrity checking, interception and heuristic detection.
Scanning is the most common method of virus detection. Using this technique, a scanner searches through every file on a specified disk for small chunks of code that are unique to particular viruses. These snippets of code are compared against virus signatures stored in a database of known viruses and if a match is found, the chances are that there is a virus present. In order to prevent false alarms, however, anti-virus software will also check the suspected file against the virus itself or carry out a checksum of it to confirm the suspicion. Scanning is implemented in all major anti-virus programs. There are also two types of scanning that can be used: on-demand, where the user instructs the software to scan main memory, the boot sector, and disk memory, and on-access, which scans files as they are access, and more recently even when they are selected. The main advantage to this detection method is that viruses can be identified without having to be executed as scanners are able to search files without executing the code. The main disadvantage, however, is that they are only effective against known viruses that they have signatures for. Also, as they only scan for small signature strings, all a virus writer is required to do is modify this string to create a new, undetectable virus through scanning. This is seen in polymorphic viruses.
Another identification method is integrity checking. Integrity checkers record integrity information about important files on disk, again usually by use of a checksum. If a virus modifies any file it has data stored about, it will no longer match the expected integrity information and the user is prompted. There would usually be an option to restore the file to its previous, uninfected state. Few virus checkers utilise this method today but there is some remaining software that does use it. Integrity checking is the only way to determine whether or not a virus has damaged a file. They can restore damaged or corrupted files back to their previous state. The major disadvantage is that not enough companies offer this method of detection. Even the software that does offer this does not protect enough files and can often not differentiate between corruption and viral damage. Today's integrity checkers are also rather simple in comparison to modern computing as many files can be legitimately modified by booting up and shutting down. Integrity checkers, therefore, must be made more complex to be an effective method of virus detection.
A more generic method used by anti-virus software is heuristic checking. They create a set of rules to distinguish viruses from harmless programs. If detection of a piece of code that matches these rules takes place, then it is labelled as being viral and is dealt with accordingly. The advantage of this is theoretical, as generic anti-virus software should be sufficient to detect any virus attack, new or old. There would be no need to constantly download updates for the software as all viruses would be identifiable. Although these benefits are very appealing, modern technology is not sufficient to support this as well as the theory requires and virus programmers may easily create a virus that does not follow the rules. This means that updates to these rules would need to be downloaded, defeating the purpose and giving them similar characteristics to scanners, although with heuristic checking, there is greater potential for 'virus misdiagnosis' of the system, giving false alarms.
Using heuristics, interception software monitors the system for suspicious, virus-like behaviours, such as relocation in memory and the automatic installation of memory resident software. This is common to anti-virus software as an option but is often disabled by the user. Interception is a good generic method of detection, especially when coupled with scanning software. They will usually detect unusual events caused by logic bombs and Trojans. Unfortunately, interceptors are only good at detecting these types of malicious program and have the drawbacks of heuristic systems too. Also, as this method monitors suspicious events, the virus already needs to have been executed, and so some damage may have occurred before detection.
Once a virus is detected, anti-virus software can attempt to repair the infected file(s). They are, however, poor at doing this and are often unable to carry out these repairs. System files and network libraries are particularly prone to the lack of effectiveness of restoration. Another option is often to quarantine the file(s). In doing so, the file is disallowed to execute, therefore the viral code is not executed from this file again.
This kind of software, however, is unfortunately always one step behind new viruses that are released and need to be constantly updated. Virus programmers always release new strains of viruses that current prevention methods cannot control or cure. These digital pathogens often exploit new security holes in operating systems to bypass anti-virus software, constantly evolving to survive. As there are ways anti-virus software attempt to destroy viruses, there are also methods used to allow viruses to combat these attempts - like an anti-anti-virus.
Survival tactics
In an attempt to avoid detection by anti-virus programs, virus programmers created polymorphic viruses. These are more difficult to detect than traditional viruses, as every copy of the virus is somehow different from the others. The aim behind this type of virus' survival method is that even if a scanner manages to detect infection, it can only cure a very limited number of copies, allowing the surviving copies to continue to replicate.
By its nature, a virus must modify something in order to become active. This may be a file, the boot sector or partition sector but whatever it is must be changed. Unless the virus gains control of the system to manage the accesses to the changes it makes, these changes will become visible to the system and the virus will be exposed. Viruses that are able to do this are known as 'stealth viruses'. They accomplish this by taking over the system functions that read files or system sectors and, whenever a program requests information from modified disk portions, the virus reports back the correct, unchanged data instead of what is really there - the virus. This means that the virus must be constantly memory resident to do this. Memory resident viruses also have a very effective method of replication, as they are able to infect any program executed.
Another common survival method is to infect the boot sector of the system, where it can guarantee execution, in order to gain control of the system as quickly as possible. Almost all viruses attempt to modify files that potentially threaten their presence on the system.
Conclusion
Just as with humans, animals and plants, computer viruses would not spread as they do without communication or data exchange. This is possibly the only real way to ensure immunity against viral programs; however, it defeats the purpose of computing just as it would be ridiculous to expect humans to remain in permanent isolation to prevent infection. There will probably never be ways to develop total immunity to computer viruses as similarly to biological viruses, new strains are developed and released on an unsuspecting computing community. Through speculation, it may be possible to severely retard the spread of computer viruses and it may lead to immunity in the future.
The only method that I believe may aid this cause is artificial intelligence. If this could be achieved, intelligent systems of the future may be able to detect a computer virus on infection and create a vaccination and immunisation method to defeat the virus without human intervention. This concept, whilst seeming very appealing, is not without drawbacks and the implications may be dangerous, as the science fiction novels mentioned at the beginning of this essay have portrayed. At present day, we are able to control computers absolutely, but to control a form of computer that is able to think for itself is an entirely separate matter and deserves the attention of a whole essay by itself.
Just as with medical healthcare, computer viruses may be suppressed but not prevented. There is no sight of a biological virus-free world. Computer viruses will continue to evolve and evade the attempts to stop them. Unfortunately, computer viruses, it seems, are here to stay, and the threat they bring to computing is huge and constant. We will see many epidemics in the future.
Bibliography
Books:
Highland, Harold Joseph
The Computer Virus Handbook
Feudo, Christopher V
The Computer Virus Desk Reference: 1992 Edition
Hruska, Jan
Computer Viruses and Anti-Virus Warfare
Polk, W. Timothy, et al
Anti-Virus Tools and Techniques for Computer Systems
Skardhamar, Rune
Virus: Detection and Elimination
Websites:
Brain, Marshall
How Computer Viruses Work
http://computer.howstuffworks.com/virus.htm
Skrenta, Richard
Elk Cloner
http://www.skrenta.com/cloner/nu-clone.html
Lemos, Robert
The computer virus-no cures to be found
http://zdnet.com.com/2100-1105_2-5111442.html
Written by |nf4m0us (28 February 2004)
Member of CAU Knowledge-Bank Tutorial Writers
This article was originally published by CyberArmy.net in the CyberArmy Library.
|