<<

. 2
( 3 .)



>>



Denial of Service on other hosts; and they cause
An encryption example with the keytext
enormous wastage of computing resources. The
“GOLD” of length 4 is given by:
threat of a fast-spreading malicious virus bring-
plaintext m u c h h a v e i t r a v e l l e d
ing down millions of computers in the matter of a
keytext GO L DGOL DGOLDGO L DGO
few minutes looms over us. Such a virus could cost
ciphertext S I N K N O G H O H C D B S W O K R
billions of dollars in losses and would be a disaster
Friedrich L. Bauer for today™s computer-driven economy.

WHAT VIRUS?: The ¬rst thing in a study
Reference IS A
of viruses is obviously knowing exactly what one
is. Unfortunately, it is not easy to ¬nd a satisfac-
[1] Bauer, F.L. (1997). “Decrypted secrets.” Methods
and Maxims of Cryptology. Springer-Verlag, Berlin. tory de¬nition because of several reasons. Over the
years, the term virus has been overloaded with
many de¬nitions. Often a virus is mistaken for a
Worm or a Trojan horse (see Trojan horses, com-
VIRUS PROTECTION puter viruses and worms), and vice-versa. This is
sometimes unavoidable because a “good” virus
Computer viruses are probably the most well- (one that spreads rapidly, avoids detection and
known and widespread threat to computer secu- causes lot of damage) often has several character-
rity. Some viruses such as Chernobyl, Melissa and istics of a worm and Trojan horse too.
Virus protection 649


Firstly, a virus is a computer program written section, the two types of viruses are discussed in
in a similar way as other normal programs. Infact, turn.
anybody with even the most modest programming
knowledge can write one [1, 3, 6]. The most dis-
Traditional Executable Virus
tinguishing property of a virus is that the virus
program copies itself to other programs or docu-
The traditional virus targets executables and ei-
ments so that the virus code is executed whenever
ther overwrites the entire ¬le or attaches itself to
the program is run or the document is opened. Pro-
it so that the virus also runs whenever the ex-
grams to which the virus copies or attaches itself
ecutable is run. Viruses normally attach them-
are said to be infected with the virus. When the in-
selves in such a way that the virus runs ¬rst af-
fected program is run, the virus searches for other
ter which the program proceeds normally. This
uninfected ¬les and tries to attach itself to them
strategy ensures that the virus runs even in cases
too.
when the infected program crashes or runs forever.
Malicious action of viruses includes but is not
It also makes detection hard since the program
restricted to deleting or zeroing the ¬les, trash-
seems to run normally to the user.
ing the BIOS, leaving backdoors, spying private
Attaching a virus to text-based executables such
information, using the infected machine to mount
as shell scripts is trivial”just put the virus code in
Denial of Service (DoS) attacks, etc. Even if the
the beginning”but suffers from the obvious dis-
virus does not perform any such destructive activ-
advantage of being easily detectable if anybody
ity, it might impede the normal working of com-
happens to view the code. Since most executables
puter systems by consuming too much CPU and
are binaries, attaching a virus to a binary exe-
memory or causing too much network traf¬c.
cutable is more common. It is more complicated
Often, the virus™ malicious action is triggered
but has the advantage that the virus is better hid-
by a time bomb or logic bomb. These are pieces of
den. A very general overview of how a virus at-
code that get activated when a certain date or time
taches itself to a binary is given below.
is reached (time bomb) or when some given logic
All operating systems have a minimum unit of
condition becomes true (logic bomb). For example,
hard disk access called block (it is often 512 or
the famous CIH or Chernobyl virus was triggered
1024 bytes). Files on the hard disk always occupy
to destroy ¬les on the infected machine on 26th
an integer number of blocks, thus the last block
April, the date of the Chernobyl nuclear disaster.
of a ¬le is only partly used. For example, if the
block size is 512 bytes, and if a program needs
INFECTION FILES: This section brie¬‚y de- only 998 bytes, it would occupy 2 blocks on disk,
OF
scribes how a virus infects a ¬le. Traditionally, of which 998 bytes are the program itself and 26
most viruses have infected executables. This is be- bytes are unused. Viruses ¬t themselves within
cause the goal of a virus is to run on the local host the unused space and thus do not require any ad-
and the obvious way to achieve this is by attaching ditional blocks. Figure 1 gives a graphical picture
itself to an executable. Recently, a new category of of how this is done. It shows the structure of a bi-
viruses, called macro-viruses, have surfaced that nary before and after a virus attaches itself to it.
attach themselves to document ¬les and are able The virus is able to modify the binary so as to ¬t
to run whenever the document is opened. In this in the available unused space in such a manner

Starting Address
OS relevant OS relevant
Pointer
Information Information




Actual Program Code Actual Program Code




Free Space Virus Code




Fig. 1. How a virus attaches itself to a binary executable
650 Virus protection


that when the binary is launched, the virus runs viruses exploit is that some operating systems
¬rst and then the program. The binary contains (such as Windows) decide what action to per-
a location called the starting address pointer that form on a ¬le (whether to execute it, open it with
points to the ¬rst instruction to be executed and Microsoft Word, etc.) based on just the ¬le™s ex-
is required by the operating system to load the bi- tension. Moreover, the extension is often hidden
nary. The virus, after ¬tting itself into the unused from the user and the operation is performed
space, modi¬es the starting pointer to point to the automatically without user intervention. The
virus™ ¬rst instruction. At the end of the virus code, combination of unsuspecting user actions, so-
a jump instruction sends control to the program™s cial engineering, software bugs/idiosyncrasies
¬rst instruction so that it is able to run normally. along with email as the underlying transport
has been very successful for viruses.
2. Internet Downloads. A very common way to
Macro-virus
get viruses on the desktop is by downloading in-
fected ¬les from the Internet. When the infected
Some software packages allow their associated
¬le is opened, it infects the local machine. This
data ¬les to contain script like code that is exe-
strategy is often employed by virus writers to
cuted when the ¬le is opened. Viruses exploit this
launch their viruses by posting them on the In-
feature by attaching themselves to data ¬les in
ternet in the guise of useful programs.
the form of a script. The Microsoft Of¬ce software
3. Floppies. Before networks became wide-
suite has been the most vulnerable to this type of
spread, ¬‚oppies were the most common
viruses. Programs such as Microsoft Word and Ex-
medium through which viruses moved from one
cel ¬les can contain macros (VB Script code) that
machine to another. There are two ways in
is executed when the document is opened. The fact
which this is done. The ¬rst way is to use ¬‚op-
that Word and Excel are widely used and the doc-
pies to move infected ¬les between machines.
uments are often shared makes this a very attrac-
The second way is to infect a ¬‚oppy™s boot sector
tive target for viruses.
so that whenever the ¬‚oppy is used in a machine
(for any purpose), the virus gets transferred to
VIRUS PROPAGATION INITIATION: The the machine.
AND
4. Infect Boot Sector. A common technique
previous section described how a virus infects a
viruses employ to ensure that they get activated
¬le. This section discusses how it initiates the in-
on an infected host is to install themselves in
fection. Infection requires two things: ¬rstly, the
the boot sector or partition sector of the host™s
virus needs to reach the host (propagation) and
disk drive. This activates the virus every time
secondly, it needs to run on the host at least once
the system boots up. These viruses are signi¬-
in order to initiate the infection (initiation).
cantly more dif¬cult to remove with surety.
Any communication medium used to transfer
data between computer systems can be used for
GUIDELINES TO PREVENT VIRUS INFECTION:
propagation. Since the widespread deployment of
computer networks, they have become the de facto As described above, viruses depend hugely on un-
medium. More speci¬cally, some of the common safe usage practices to spread fast. Curbing some
ways viruses spread are: of these would greatly reduce the risk of virus in-
1. Email. Email has been the most popular trans- fection. Some guidelines for safe computer usage
port for viruses in the last few years. Melissa from the perspective of virus prevention are as
was the ¬rst virus to spread widely through follows:
email. Since then, Happy 99, Worm.ExploreZip, 1. Do not carelessly open executables or macro-
BubbleBoy, The Love Bug and many others supported documents downloaded from the In-
have used it. The Love Bug sent out emails from ternet or received as email attachments. If
the infected host to addresses in Microsoft Out- there is any way to verify the authenticity and
look™s addressbook. The message had the sub- integrity of such ¬les using digital signatures or
ject “I Love You” and asked the recipient to open cryptographic checksums, it should be done. If
the accompanying attachment that contained such techniques are not available, ¬les should
the virus. People got pulled by the love message be downloaded only from reputed websites or
into opening the attachment that let the virus checked with the sender of the email. Files
loose on their machine. BubbleBoy exploited should be passed through an anti-virus soft-
a feature in Microsoft Outlook that allowed ware before being executed or opened.
it to execute code on the local host when the 2. If possible, support for macros or similar script-
email was previewed. Another common feature ing ability in documents should be disabled. In
Virus protection 651


particular, macro support in Microsoft Of¬ce for malicious patterns. They use this information
software such as Microsoft Word and Microsoft to decide whether the ¬le contains a virus. Dy-
Excel should be turned off unless absolutely re- namic heuristics set up a controlled virtual envi-
quired. ronment where the suspect program is run and
3. Do not allow operating systems to hide ¬le ex- its behavior monitored. Based on the observations,
tensions from the user or make security critical the heuristic determines whether or not the ¬le is
decisions (such as opening a ¬le received as an infected. As both the static and dynamic schemes
email attachment) on its own. are heuristics, they are not always correct. The
4. Be extremely careful when booting systems exact details of the scheme determine the trade-
from ¬‚oppies. Floppies should not be carelessly offs between the false positive and false negative
left in drives since many systems have their rates as well as ef¬ciency. In general, though static
BIOS con¬gured to ¬rst try to boot from ¬‚oppy. schemes have the advantage of being fast whereas
If it is necessary to use a ¬‚oppy to boot a sys- dynamic schemes provide a lower false positive
tem, it should be thoroughly checked to be clean rate. Dynamic schemes are often susceptible to
of viruses. Boot from ¬‚oppy option in the BIOS the logic and whims of viruses affecting their false
should be disabled. negative rate. Some other heuristics use crypto-
5. Most viruses are operating system speci¬c. graphic checksums to detect viruses.
Thus, having a heterogeneous computing envi-
ronment greatly helps in ensuring that not all
THE LATEST IN VIRUSES: Unfortunately for the
machines get infected or compromised at the
security community, viruses are getting sophisti-
same time.
cated and harder to detect. Polymorphic viruses
and encrypted viruses are two of the latest viruses
aimed at making detection harder. Polymorphic
ANTI-VIRUS SOFTWARE: Anti-virus software
viruses change themselves (i.e., change the code)
has become more and more important over the last
every now and then, allowing only a small detec-
few years and has become a necessity on the more
tion window. Encrypted viruses encrypt the virus
vulnerable operating systems. Even though users
code so that it does not match any regular pat-
can adopt safe usage practices such as the ones
terns. The encryption key can also be changed, and
mentioned above, viruses still get through. Over
this results in a polymorphic encrypted virus. Not
50,000 viruses were known in 2000 and new ones
only are viruses getting harder to detect, but they
get written everyday. Keeping track of all viruses
are also getting faster in spreading, some tech-
and protecting a Windows desktop against them
niques for which are discussed in [10].
is not possible without anti-virus software. Unfor-
tunately, it is impossible to build software that is
always able to correctly determine whether a ¬le is WHERE LEARN MORE ABOUT VIRUSES:
TO
virus-infected or not [3]. However, anti-virus soft- Viruses are a vast area of study and involve lot of
ware is de¬nitely a potent and effective weapon low-level detail that cannot be included here. Some
against all known viruses and, to some extent, of the earliest ground-laying academic work on
against new viruses too. viruses is presented in [1,3,4,7]. Duff [6] presents
Many anti-virus softwares are available today a simple virus on the UNIX operating system,
in the market. The basic detection technique in- and helps in demystifying the process of writing
volves matching patterns in ¬les against a virus viruses. Most security books devote a chapter or a
“signature” database. A virus signature is a code few sections to viruses. In particular, [5] is a good
pattern that represents the virus and can identify reference.
it. This technique is successful only against known The CERT Coordination Center [2] is an excel-
viruses whose signature is available. The most im- lent reference for practical details about viruses.
portant thing with a virus signature database is to It keeps an up to date list of viruses describing
continuously update it with new virus signatures. their symptoms, operating systems affected, safe-
It is safe to say that an anti-virus software is only guards, etc.
as good as its signature database. Therefore, anti- Some good on-line sources for reference are
virus software companies include update mecha- viruslist.com [12] and the websites of two major
nisms in their software. anti-virus software providers: McAfee [8, 9] and
To detect new viruses, some virus checkers em- Symantec [11]. VXHavens [13] contains virus code
ploy heuristics. Heuristics can be put into two cat- and material on how to write a virus.

<<

. 2
( 3 .)



>>