A quick guide to computer viruses - what they are, how they work and the potential consequences of a virus entering and infecting your computer.
What Is A Computer Virus?
A computer virus is a program designed to infect a computer, and replicate or copy itself by using a machine's resources without the owner's knowledge and/or permission.
A computer virus is rather like a human virus in that it does not have the ability to replicate, or copy itself, on its own; for that, it needs a computer to read its code and duplicate it. The most common way a virus does this is by attaching itself like a parasite onto another computer program, known as the host program.
Once the virus has inserted itself into its target program, the computer is infected. Every time the host program is executed, the virus also runs and 'hijacks' the computer, forcing it to create a copy of the virus.
Each time a virus replicates, the newly created copy it makes becomes attached to another program in turn, and these copies also replicate themselves when their host programs are run. Very soon, if the programs are run enough times, the computer becomes literally overrun with copies of the virus.
A virus may also include a payload, or specific actions it performs on the computer that are usually malicious and damaging. The total effect a virus has on a computer system can be devastating.
How A Virus Arrives On A Computer
Before a virus can infect a computer, it must first get onto the computer. For that, we need to consider transmission vectors. A transmission vector, or vector, is a way for a virus (or any other malicious program) to get onto the computer.
There are many possible vectors, such as:
• Removable meda (CDs, USB thumb drives, floppy disks)
• The Internet (e-mails, malicious websites, downloads, etc)
• A network (shared folders on a local network, public networks, etc)
The attacker who wrote the virus needs to work out a way to either surreptitiously slip the virus onto the system or to trick the user into bringing the virus in themselves. There are many ways an attacker can do this:
• Find an unprotected computer system and slip the virus in undetected
• Find a vulnerability in a protected computer system and exploit it to slip the virus in undetected
• Trick the user into believing a malicious file is something desirable
From Arrival To Infection
Usually, even after a virus has arrived on a computer system, it still has to insert its viral code into a targeted file before the computer is considered infected. A computer system may have a virus present and still be unaffected if the virus has not successfully installed.
Obviously, most people wouldn't deliberately install a program they know is dangerous. The attacker who wrote the virus needs to work out a way to either silently install the virus onto the system without the user's knowledge, or to trick the user into installing the virus in themselves.
There are literally dozens of ways to do this, though often even the simplest methods are surprisingly successful. For example, an attacker can deliver a virus to a computer as a disguised e-mail file attachment. They can then use one of two ways to get the virus installed on the computer:
Engineer the e-mail or the virus to take advantage of a vulnerability and install the malware automatically, without needing the user to do anything.
Use a tantalizing e-mail message to tempt the user into double-clicking the attachment and running the virus, thus unwittingly installing malware on their own machines.
The second infection method is by far the most common, simply because it's so effective. It's also easier for the attacker as it requires less programming skills.
How A Virus Infects The Computer
The exact mechanics of how the virus installs infects itself on the computer varies depending on what target it is designed to infect. Viruses can infect a variety of objects on a computer system. The objects most often targeted by viruses are:
Viruses most commonly attack the system or data files stored on a computer by inserting their own viral code into the program code stored in the files. Once inserted, the malicious code basically 'hijacks' the operating system and subverts its usual behavior, forcing the computer to follow instructions from the virus. A virus that attacks the files on a computer is referred to as a file virus or file infector virus.
Other viruses will attack targets macros, which are essentially routines or a set of instructions used by programs to perform certain automated tasks. Macros are commonly included in programs such as word processors for the user's convenience; scripts, which are also often targeted, are the roughly analogous version of a macro, but are usually found in an executable file and are often application-specific. Obviously, viruses that target these objects are known as macro or script viruses.
Master Boot Record
The computer's Master Boot Record (MBR) is a critical area that stores the instructions telling the operating system how to start itself. The MBR is the preferred target of the boot sector virus, which also infects the boot sector on floppy disks.
Typically, each virus will only infect one type of target - though some security analysts believe that future viruses will be capable of affecting more than one type of target.
What a Virus Does
Once a virus has successfully infected its target, the computer system is basically under the control of the malware author. Depending on their imagination and programming skills, a malware author can direct the infected computer system to do almost anything.
Some of the actions viruses are capable of include:
- File operations such as editing, creating and deleting files
- System operations such as running, installing or killing programs or processes
- Physical actions such as opening the CD tray, switching off the monitor, etc
- Transferring data or files to other computers (remotely or over a network)
The actions the virus performs (or rather, forces the computer system to perform) and the files or programs it drops on the infected system are collectively referred to as the virus' payload.
More Sophisticated Threats
Most of the early viruses were relatively harmless, if rather annoying. Written mostly by amateurs looking for fame and bragging rights, they would do things like displaying inappropriate images or inserting into strange text strings or even poems into documents.
These early viruses were generally considered more pranks than threats, as they did not intentionally perform malicious actions, such as destroying files or data. Nowadays, these file, macro, script and boot sector viruses are sometimes collectively referred to as classic viruses.
In recent years however, as operating systems and programs have become more sophisticated, malware authors have shifted to creating increasingly complex viruses. These newer creations have a much greater range of capabilities. For example, they can attack multiple targets; they can be delivered through multiple vectors; and their payloads are almost always more damaging.
Below are just a few examples of the new, complex viruses malware authors are now producing:
Many of these new threats have characteristics not only of viruses but also of Trojans or Worms. For example, a virus might not only replicate itself whenever a host program is launched, but may distribute its copies over local networks, disguise its copies and so on. These chimeric malicious programs are known as blended threats.
Another interesting variation on the standard virus is the polymorphic virus. As its name suggests, this malicious program is capable of morphing, or changing its own code, to make it more difficult for security programs to detect them. To make the code changes, most polymorphic viruses are encrypted by a polymorphic engine, or a section of code or mini program that enables the code-shifting functionality.
A similar type of virus is the metamorphic virus, which is also able to make code changes. A metamorphic virus would essentially change its code so that though all the actions remain the same, the actual code differs from iteration to iteration.
Viruses in the Future
Back in the '90's, viruses were the predominant threat in computer security. As a threat class, they have since been largely eclipsed by worms and trojans, which have gained greater prominence in the media as more people have "gone online".
Despite this, viruses have continued to evolve, as malware authors refine their code and add new features or routines to their malicious products. For example, some of today's viruses share many of the characteristics of worms or trojans, making them much more difficult to detect and remove from an infected system. Many others now take advantage of vulnerabilities or loopholes that simply did not exist a few years ago. It is clear that malware authors are still actively producing viruses, to the detriment of the average user.
This is especially relevant as millions more new users becoming connected to the Internet every year, many of whom eventually rely on Internet-based services - searching, researching, banking, data storage, e-mail and so on - to enrich and simplify their lives. This growing pool of users is an attractive target to malware authors, who are now more akin to organized criminals than the amateur enthusiasts of yesteryear .
The viruses produced by these malware authors are now designed for far more malicious - and financially profitable - activities, such as stealing credit card details, banking account details, personal information and so on. Fraud, identity theft, data loss and other significant consequences are now possible side effects of being infected - and this trend towards ever more damaging malware looks set to continue into the near future.