Monday, November 28, 2005

Lesson II - Self Replicating Code Viruses

Running around outside during chilly winter months without a coat will put you on the fast track to developing a cold. Always has, and always will. Likewise, owning and using a PC (with or without a coat) makes you a potential victim for computer virus infections. Always has, and always will.
Over the past dozen years, we’ve seen dozens of virus threats that either caused hysteria or serious damage or a combination of the two. Viruses continue to be a constant menace to our everyday computing experience, despite the best efforts of anti-virus software vendors. And interestingly, the evolution of viruses over the years shows that although today’s viruses do not differ much from the physical structure of older viruses, they are changing their approach.

Sunday, November 27, 2005

A Closer Look

“Increasingly, we are seeing a more complex generation of threats—threats that are self-mutating,” says Carey Nachenberg, chief architect, Symantec Advanced Concepts Group. “The authors of these things are making them exceedingly difficult for anti-virus software to detect. It’s almost like a race to see who can make the hardest-to-detect virus.”
In the early virus days, virus protection was nearly nonexistent, and viruses made little, if any, effort to hide their presence on a victimized computer. Sometimes little dialog boxes popped up announcing a new infection or letters would fall down the screen before the user’s eyes. Today’s virus writers, however, seem more interested in thwarting anti-virus efforts than outwardly marking their territory.
“We’re seeing multiple entry points with the same infector,” says Patrick Hinojosa, chief technical officer, Panda Software. “You’ve got them bashing down the front gate, you’ve got them tunneling under the wall, you’ve got them throwing ladders up over the wall—in the same attack. It’s much more difficult to defend against.”
But even though modern viruses tend to resemble the behavior of undercover agents, the damage they can cause is still frighteningly real. By their very nature, file infector viruses, boot sector viruses, and macro viruses are powerful and flexible, particularly due to their ability to self-replicate (make copies of themselves) to spread their infection.
Many viruses also carry a destructive payload, a part of the virus that carries out malicious instructions. If infection by these viruses goes unchecked, the potential for data corruption or deletion is usually high. In many instances, by the time users discover viruses on their computers, damage is already evident. Taking an in-depth look at what these viruses are and how they work can help you understand the danger that perpetually surrounds our computing experience.

Saturday, November 26, 2005

File Infector Viruses

Many of the earliest viruses were file infector viruses, and these viruses continue to wreak havoc today. They attach themselves to programs or other executable files, sometimes even overwriting the files. When the program executes from a hard drive, floppy diskette, or a network resource, the virus code activates and infects other files.
Although most infected file types have .COM or .EXE file extensions, file infector viruses also can infect files using .BIN, .DRV, .OVL, .SYS, and other extensions. File infectors vary significantly in their methods, and researchers identify them according to their behavior.

Friday, November 25, 2005

Memory Resident Viruses

File infector viruses are often memory-resident, meaning that the virus remains in the system memory after it executes, infecting other opened programs until the user reboots or shuts down the computer. Living in the system memory also lets the virus intercept program-dependent OS (operating system) services, which can help the virus code run as planned. Although the actions of a memory-resident virus cease when the computer is off, some crafty viruses modify the Windows Registry (database for settings and user preferences) so they become active in memory the next time the user turns on the computer.
These viruses can be difficult to eradicate because even if a user deletes all of the infected files, the virus is still waiting in the memory to infect more files. This also is known as a TSR (terminate-and-stay-resident) program, a DOS term meaning that the program (or virus in this case) runs its routines only as necessary. Because users tend to run several programs or other executable files during an average computing session, the potential for serious damage is great.
One of the most notorious examples of the memory-resident file infector virus is CIH, a variant of which is known as Chernobyl (because the virus executes on April 26, the anniversary of the Chernobyl nuclear disaster; other variants of this virus activate their payloads on the 26th of every month or annually on June 26).
CIH first emerged in June 1998 and quickly spread via both pirated software and products from legitimate companies. An IBM shipment of new Aptiva PCs infected with CIH made it to market, as did an infected firmware update for Yamaha’s CD-R400 drives. The virus appeared in other commercial sources, as well, and soon its destructive nature had a worldwide presence.
Infecting EXE (executable) files on PCs running Windows 95 and Windows 98, CIH overwrites data on the hard drive, which would seem destructive enough, but it goes a step further and tries to overwrite the PC’s BIOS (Basic Input/Output System) information. If the chip containing this information is not reprogrammable, purchasing a new BIOS chip (or a new motherboard altogether) might be necessary.
Another infamous memory-resident virus is Jerusalem. This virus infects both EXE and COM (executable; for programs) files, although the first version of the virus was ultimately buggy and infected a single EXE file repeatedly until multiple infected versions filled the hard drive’s remaining empty space. Activating every Friday the 13th, Jerusalem deletes any programs executed on that day and slows down the computer. Because of the virus’ rather concise code, it provided a template of sorts for aspiring virus writers, and soon after Jerusalem entered the wild, variants followed at a breakneck pace.
Although most modern memory-resident viruses try to conceal their presence, an early virus called Cascade (also known as Falling Letters or Blackjack) does just the opposite. When infected with this DOS-based virus, and assuming the virus’ system conditions were met, letters on your monitor’s screen will fall to the bottom of the screen, creating a “virtual pile.”
Direct action viruses and overwrite viruses often act as file infector viruses, depending on their behavior. For example, certain direct action viruses behave like file infector viruses in the sense that they replicate by infecting other files, although they are not memory-resident. These viruses select programs to infect whenever the original infected program executes.
The Vienna virus, written in Vienna, Austria, as a high school student’s experiment, is a prominent example of a direct action virus because it searches for uninfected COM files and infects them. This virus destroys one of every eight files it infects by overwriting some of the original code with instructions to reboot the computer. Multiple variants of Vienna entered the wild after its source code appeared in a book about computer viruses. Because it partially overwrites files, Vienna shares traits with overwrite viruses. These viruses destroy files by replacing part or all of their code. Interestingly, overwrite viruses do not increase the file size of the original file, most likely to avoid detection.

Thursday, November 24, 2005

Companion (or Sprawling) Viruses

When used to infect DOS-based files, these viruses locate EXE files and place a COM file of the same name in the same directory as the EXE file.
For example, if the virus infects your Calc.exe program, it creates a file and inserts it into the same directory. If you type CALC on a command line to launch the program, DOS launches the file first because by design DOS runs COM files before EXE files. Before drawing attention to it, the infected COM file executes and often tries to infect more files, and then it loads the original EXE file. The slight delay between typing CALC and seeing the program on-screen is often barely noticeable.
Companion viruses in Windows work a little differently. Instead of placing a companion COM file in the same directory, the virus replaces the original file’s .EXE extension with a .COM extension. When the user executes the program file, the new COM file opens, resides in memory, and infects any programs opened during the current computing session.
Some companion viruses rename the .EXE file extension to something similar, such as .EXF, and retain the original EXE file name for the virus itself. When the user accesses the EXE file, the virus code activates first and then activates the intended program, similar to behavior of the DOS-based companion programs.
DeDouble.7200 is an example of a companion virus that feeds on DOS-based programs. True to its name, the virus creates infected files with a constant size of 7,200 bytes, and when it tries to infect a program on the first day of any year, it displays a message indicating that now is the right moment to buy an anti-virus program. Sounds like good advice, right?

Wednesday, November 23, 2005

Boot Sector Viruses

All hard drives and floppy diskettes have a boot sector, which includes information crucial to the boot process, as well as a program that enables the computer to boot from disk. Boot sector viruses reside in the boot sector, waiting for a user to boot from the infected drive or diskette. When this occurs, the virus resides in memory and infects any uninfected drives that the OS tries to access.
These viruses typically spread via floppy diskettes, but if they reach the master boot record of the hard drive, widespread infection can occur because any type of media (CD-ROMs, SmartMedia cards, Zip disks, etc.) then risks infection.
Both boot sector viruses and master boot record viruses can cause significant damage. Symptoms range from boot or data retrieval problems to erased disk partitions to general computer instability. Some OSes (such as Windows NT) will not boot at all when infected with one of these viruses. Boot sector viruses have a long history of causing both panic and actual damage, and perhaps the most infamous of these troublemakers is Michelangelo. As both a boot sector and master boot record virus, Michelangelo overwrites portions of the drive if an infected computer boots on March 6, the same date as its namesake’s birthday.
Michelangelo was one of the first media-hyped viruses, mostly due to its potential for a computer wipeout on a single date. Leading up to March 6, 1992, major newspapers and TV networks carried news stories about the virus, eventually predicting that thousands and then millions of computers were at risk. March 6 arrived, and the hysteria soon died following reports of some infected systems, but not anywhere near the immense predicted numbers. Experts theorized that the failure of worldwide Michelangelo infection was due to panicked computer users buying anti-virus software before March 6 (which also served to expose existing infections of many other viruses).
Michelangelo is a variant of the Stoned family of viruses. Also a boot sector and master boot record virus, Stoned was actually much more prevalent during the hysteria Michelangelo caused. But unlike Michelangelo, Stoned was more annoying than harmful.
“The Stone variants weren’t necessarily devastating, but they were incredibly well-distributed,” Nachenberg says. “They were all over. Everyone had Stone.”
Unlike modern stealthy viruses, Stoned proudly proclaims its existence by first infecting a computer’s master boot record, and then displaying the message: “Your PC is now Stoned!” approximately once in every eight boots from an infected floppy. Although booting from floppies was more common 12 years ago, the practice faded, as did one of its primary nemeses, Stoned.
A downright destructive example is Disk Killer, another prominent boot sector and master boot record infector. On an infected computer running for 48 hours, this beast (or Ogre, as its nicknamed) displays the following message: “Warning! Don’t turn off the power or remove the diskette while Disk Killer is processing!” Next, you’ll see an ominous “PROCESSING” message, later followed by, “Now you can turn off the power. I wish you luck!” During that “PROCESSING” stage, Disk Killer encrypts all of the data on your diskette or drive, rendering it (and the rest of your computer) useless.

Tuesday, November 22, 2005

Macro Viruses

When Microsoft included Visual Basic capabilities with its Microsoft Office suite several years ago, it inadvertently opened the floodgates for a new type of viral threat: the macro virus. These viruses infect Microsoft Access, Excel, PowerPoint, and Word documents, as well as documents from non-Microsoft products, such as Lotus Ami Pro and Corel-DRAW. Drawing on macros’ ability to automate user tasks, macro viruses are extremely powerful and flexible, performing actions as innocent as changing the colors on your Desktop to deeds as sinister as formatting your hard drive.
Today, macro viruses are the most widespread virus type, thanks to their qualities and ease of creation. Because macro viruses often appear tranquil, users sometimes disregard the potential damage they can achieve. Macro viruses spread easily by infecting the global template of a program, so that when a user opens a new document, the template automatically infects it. Macros can execute a large range of actions, all of which happen automatically, providing the perfect environment for viruses to cause trouble.
“The macro language allows you to issue a lot of operating system commands,” Hinojosa says. “So you can wipe out folders, files, all kinds of stuff. People don’t generally think of [macro viruses] that way. They think, ‘Oh, my template is infected. It’s not a big deal.’ But potentially you can do a lot of damage with these.”
Concept (also known as the MS.Concept or WM.Concept virus), the first Microsoft Word macro virus found in the wild, proved to be a colossal headache for companies of all sizes. The virus accidentally appeared on a software compatibility testing CD sent by Microsoft to hundreds of OEM (original equipment manufacturers) companies in August 1995, on another CD distributed by Microsoft in the United Kingdom, and on yet another CD from ServerWare. The virus ran rampant for years thereafter.
When infected by Concept, a user first sees a dialog box displaying the number “1,” and if the user clicks OK on the box, the virus takes control of several Word features. The virus copies several macros to the global template file (Normal .dot), making sure all new documents include the infection. These macros also change the behavior of the Save As option on the File menu, infecting any documents saved using this option.
Although the Concept virus usually ravaged office environments, a macro virus that appeared in 1999 caused worldwide panic among computer users of all types. Dubbed Melissa by anti-virus software vendors, the virus propagates via an email message that has a Word document attached to it. When opened, the document runs a macro, which lowers macro security settings on the computer (if necessary), and then emails an infected Word document to the first 50 entries in every Microsoft Outlook MAPI (Messaging Application Programming Interface) address book accessible by the user executing the macro.
The e-mail’s subject line appears as “Important Message from Sender Name” (where Sender Name represents the name used in Word’s registration settings on the sender’s PC). The e-mail’s body states: “Here is that document you asked for…don’t show anyone else ;-).”
Melissa also infects Word’s global template file for future document infection, and if the minute of the hour matches the day of the month during this initial infection, Melissa inserts the following message in the current document: “Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game’s over. I’m outta here.”
Aside from severely overloading networks, Melissa was not inherently dangerous. But there are other macro viruses that are certainly destructive. Nuclear, for example, uses nine macros to perform a host of damaging actions. In addition to infecting Word’s global template, Nuclear checks to see if the current date is April 5, and if it is, it alters several crucial system files, including Io.sys, MSDOS.sys, and It also checks the system time, and if the current time is between 5 p.m. and 5:59 p.m., the virus inserts a different virus in the C:\DOS directory that infects COM and EXE files.
One of the more notorious Excel macro viruses is Laroux (appeared in July 1996). Working much like Concept, Laroux has no payload but uses two macros to infect all created or accessed spreadsheets by inserting its virus code into Personal.xls, a file that stores macros available to all Excel spreadsheets on the computer.

Monday, November 21, 2005

Bedevil Others With Hoaxes

Almost as widespread as actual viruses are stories of viruses that don’t really exist. If you use email, you probably see evidence of hoaxes regularly because the hoax formula is typically consistent. According to HoaxBusters3, successful hoaxes typically include technical-sounding details and credibility by association, and they have three recognizable parts: a hook, a threat, and a request (which is usually to send it to everyone you know).
Curiously, hoaxes can be just as damaging as viruses because they clog networks and steal time from workers who read the messages. Most emails following the aforementioned formula are indeed hoaxes, but check a credible source such as Symantec’s Hoaxes Web Page4 or Vmyths.com5 before disregarding the messages or forwarding them to others.

Sunday, November 20, 2005

Creators of Viruses

When you sit back and ponder the existence of thousands of viruses, you can’t help but wonder who creates them. Virus writers vary wildly from thrill-seeking teens to experienced programmers conducting experiments (however misguided they might be). One virus might exist to fulfill a warped promise of revenge, whereas another might exist as a way to test mere possibilities. Actually, many of the first virus writers were not outright troublemakers.
“The earliest guys were engineer types who were figuring out stuff,” Hinojosa says. “The groundbreaking work was done by legitimate people. That knowledge got out and people who probably otherwise didn’t have the capability or the discipline to do the research took advantage of that earlier work.”
Hinojosa says early virus writers used Assembler, an older, nuts-and-bolts programming language, to create many of the first viruses. As viruses grew in number and exposure, tools emerged that made virus creation easier, inviting a new generation of virus writers to create malicious code with little or no programming knowledge; but at the same time, these tools decreased the overall effectiveness of the malicious code.
“From what I’ve seen, more viruses are buggy as a percentage of code than standard, legitimate code,” Hinojosa says. “Guys will troll around looking for virus code, wanting to do their own thing with it, and they don’t totally understand how it works. More times than not, they botch it.”
Many infamous viruses were not able to cause the amount of damage their creators intended, often due to problems with the virus code. Because of this, we can probably assume that if those do-it-yourself tools for creating viruses were not available, today’s viruses would be much more sinister than they are.
But what about the rumor that claims anti-virus companies create and release viruses to keep themselves in business? Forget about it, Hinojosa says, because then viruses would be too good. “I can tell you if one of the experts in [an anti-virus] lab wanted to write a virus, you wouldn’t have a computer,” he says. “You’d have a piece of plastic and metal. Not literally, but you know what I’m talking about.”

Saturday, November 19, 2005

In The Future

Many of the viruses we discussed are no longer a threat because anti-virus companies targeted them long ago and impeded their ability to spread. And although modern file infector and macro viruses continue to uphold the destructive traditions of their elders, boot sector viruses are slowly fading away.
“Boot record viruses are on their way out,” Nachenberg says. “They used to comprise the majority of infections that our customers would see, and today, they’re just a blip on the screen. The difference is the newer versions of [today’s] operating systems are designed in such a fashion that, in many cases, boot record viruses are neutered—they’re not able to spread.”
Widespread use of anti-virus software also contributes to the decline of boot sector viruses. But when new viruses appear, they still don’t always go away quickly, often due to the extensive process involved with eliminating the threat and shoring up any possible vulnerability. “Vulnerabilities have lives of their own,” says Kevin Houle, a member of Carnegie Mellon’s CERT Coordination Center’s technical staff. “When a new vulnerability is discovered, we typically see activity related to that vulnerability for two or three years. There’s a patch cycle where vendors will release security updates, and administrators and consumers need to apply those security patches to protect their systems. But that takes time.”
Time is a crucial factor in the battle against viruses, and emerging viruses promise to make researchers spend much more of it to identify and eliminate them. In fact, a new virus type is causing significant unrest: Highly complex metamorphic viruses go to great lengths to avoid detection. W32.Simile, discovered in March 2002, uses entry-point obscuring, metamorphism, and polymorphic decryption.
“History is a great teacher,” Nachenberg says. “I think we will continue to see these threats evolving to take advantage of the capabilities of the newer computers, and also evolving with respect to their attempts to avoid detection by anti-virus software.”
Houle agrees, “I have no reason to believe that in the short term we will see [these viruses] disappear . . . for the foreseeable future, sites and organizations connected to the Internet should expect, and take preparations so they can defend against, self-replicating viruses.”

Friday, November 18, 2005

Malicious Intentions

As computer technology continues to evolve, so will viruses, ducking and hiding when necessary to avoid detection. Failing to see or hear about a virus doesn’t mean you’re safe—it means virus writers are succeeding. Keep that in mind the next time you open a strange-looking email attachment.